I work as an network operations analyst for company which is a critical technology backbone of the hotel industry, which powers the majority of electronic hotel reservations around the world. I was very impressed with the comments and interviews in tonight's program.

Working in an industry that has been severely impacted by recent events, expenditure and effort in proactive security improvement is a very difficult sell. I would like to ask what public and private assistance organizations are out there that can help my peers and I push proactive security initatives through in a very visible infrastructure target such as mine?

Thanks in advance.

Michael Wilkinson
phoenix, az

experts respond: From O.Sami Saydjari: Good question. Start with the Computer Emergency Response Team (CERT) at http://www.cert.org/, a government-sponsored institution that tracks attacks, helps develop countermeasures, and publishes best-practice guidelines. I would also highly recommend SANS (SysAdmin, Audit, Network, Security) Institute at http://www.sans.org/, a private collection of system adminstration professionals who work toward making cyberspace a more secure place. SANS also tracks vulnerabilities and offers best-practice advice, include some sample security policies. Both sites offer pointers to many other related useful sites. There are also some useful recommendations and pointers in the National Strategy to Secure Cyberspace at http://www.whitehouse.gov/pcipb/.

Dear FRONTLINE,

In your opinion, how will law enforcement deal with the growth of encryption tools, as well as stronger encryption algorithms, being made public?

John Bridbord
new york, ny

experts respond: From O. Sami Saydjari: Assuming that you are referring to wiretap access, law enforcement will ultimately have little choice but to focus their access on the end points, before the communications are secured. From James Lews: Encryption and open source are similar issues in the sense that they are part of the landscape now for IT and are not going to go away. Governments have to learn to change to accommodate this new landscape. The US thought about trying to restrict access to encryption in the mid 1990s, but decided that restrictions would fail. For law enforcement, theyíve had to move to more expensive and riskier approaches to intercept messages as a result (such as covert entry to gains access to a computer), but so far they seem to able to keep up with technology. This could change in the future, of course, and the FBI and others remain concerned about the threat that their wiretap capabilities will continue to erode.

Dear FRONTLINE,

Why is it that we have not seen any disruption in any system in the US (electrical, for instance) besides the relatively harmless DOA's like CodeRed or Nimda? My point is that surely at some time such an attack would be tried by any enemy one could name. "Testing the system" theories make no sense, as it would indicate a concerted effort of all of the varied enemies we have. Surely just one nameless individual in, say, China, would take the opportunity just once? It baffles me.

My other question is the point made that these DOA's are (again) testing our system, and are part of a bigger plan developed by these groups. My belief is that it's individuals, not nations or organizations. A number of web sites showcase hacker members and their latest efforts. Thanks, LKern

Les Kern
morris, illinois

experts respond: From O. Sami Saydjari: Re: your first question - the same question might be asked of chemical and biological weapons use within U.S. borders. It is hard to say why these have not happened yet. Taking the the power grid down and holding it down would require substantial resources and planning. If an adversary were to develop such a capability, the adversary would likely hold it in reserve for when it was really needed to have some strategic effect. Re: your other question...The vast majority of attacks are done by individual attackers, as you suggest. At the same time, we know that nation-states also have significant capabilities and some have used those capabilities in limited ways. From James Lewis:Baffles me too, which is why I think cyber attacks are overrated. I put links to a long paper and a short paper at the end of this answer that try to answer this question. In a nutshell, while there have been many terrorist attacks and many hacking incidents, there have been any cyber terror or cyber attacks on infrastructure. Part of the explanation for this disparity lies with the goals and motives of terrorists. The people who are attracted to terrorism seek to do violence against their opponents. Cyber attacks are unsatisfactory in this regard. Terroristsí plans call for actions that have a political and psychological effect produced by the shock and horror of physical destruction and casualties. Cyber attacks do not produce these. Terrorists have a keen sense of operational risk and will avoid untested weapons whose effect is unclear or unknown. Some experts go so far as to say that terrorists may avoid cyber weapons because of the potential risk it could pose to their own operations and communications. There is also the issue that the hypothetical vulnerability of various infrastructures - water systems, air traffic control, electrical grids ń is routinely overstated in cyber attack scenarios. These infrastructures are not dependent on computer networks for their operation. Many analyses that predict ëelectronic Pearl Harborsí assume that there is a close connection between the physical and the cyber. In most instances, however, this connection seldom exists. Hackers, for example, cannot cause aircraft to fly into each other because there are still pilots and air traffic controllers that do not depend on computers. A closer examination suggests that: (a) computer networks and critical infrastructure are not equally vulnerable; (b) nations are robust and resilient in responding to attacks, thus the potential for damage is limited, and (c) critical infrastructures in the U.S. have considerable redundancy, are accustomed to system failure, know how to repair these failures, and still require human intervention for many control mechanisms. This makes it difficult for remote computer attacks to disrupt critical functions. http://www.csis.org/tech/0211_lewis.pdf (long) http://www.csis.org/tech/0403_cyberterror.pdf (short). With regard to your other question - There have been some good studies of hackers and these have found, as you suspected, that they tend to be individuals showing off to other hackers. I think there are countries that hack into computer systems, but their goal is espionage. They want to sit quietly and collect information, not cause some temporary flap that would end up with them being shut out.

Dear FRONTLINE,

Can it be determined if an attack is committed by a single person or by a cooperative group? Can a single hacker be as destructive as say a known group of attackers (i.e. Al Qaeda)? Are most attacks committed by lone hackers? It seems to me that a lot of "inside" hacking would be logical, committed by people who are familiar with systems and perhaps disgruntled than by terrorists half a world away. Is there such things as hacking gangs? Excuse my naivite but really what is there to gain by hacking other than cheap thrills?

Amy Hayman
baldwin, new york

experts respond: From O. Sami Saydjari:Unsophisticated attacks that are repeats of allready-seen attacks are almost certainly done by lone hackers looking for cheap thrills. More sophisticated attacks that require more planning, insider access, and coordinated multi-step attacks generally indicate that well-resourced organziations are involved. Single hackers, through worms and viruses, can do significant harm. Patient and well-resourced adversaries can go well beyond that level and can have strategic impact on national security and disrupt import services such as power, transportation, and banking. From James Lewis: These are good issues. Thereís been a lot of work done on the hacker personality, so your question isnít naive, itís right on target. Most hackers or virus writers tend to be young, single males with weak social skills who want a cheap thrill. Damage, in the sense of economic loss to companies, tends to from professionals stealing intellectual property or financial data. Itís hard to tell (especially in the beginning) if an attack comes from a single person or a group, in part because itís still easy for a single to take over thousands of computers and have them automatically launch attacks. There are hacking gangs, both in the sense of clubs and also criminal gangs. I think most people (including the FBI) would tell you that the ëinsiderí threat is much greater than terrorists, if only because the insider has the specific knowledge about how a network is constructed, how the company operates and so on. An outsider canít get that knowledge.

Dear FRONTLINE,

The program was very informative, but dealt only with probing or attacking systems and networks with viruses. Is there also concern about adversaries hiding information (or viruses) in images or audio files as a means of transfer to their cohorts? I think I read something about this as a method Al Qeada used to transmit instructions. This activity may be more criminal (profit-based) in nature, but sensitive infrastructure or military information could be stolen this way as well. Are there any public sources or references on this subject?

Lou Finnegan
falmouth, ma

experts respond: From O. Sami Sayjdari: You are correct. Information hiding of the type you describe is a key problem in leaking sensitive information, transmitting illicit information, and in controlling malicious software. Hiding information inside of images is called "steganography." The term "covert channels" refers to hiding information in communication channels. Many technical papers have been published on both of these topic areas. A general literature search on these key words will turn up many interesting references.

Dear FRONTLINE,

Following the fact that DARPA decided to take back the 2 millions awarded to the OpenBSD project for research funding, i was wondering if any of you had some insight to the reason why?

Personnally, starting up in the security field, i think it really is a shame that one of the most secure and available operating system in the world as to count rely on the generosity of people who use OpenBSD and understand the need for a REAL secure system.

Jean-Nicolas Raymond
trois-rivieres, quebec

experts respond: From O. Sami Saydjari: On the question of the DAPRA funding change, I have no inside knowledge on why this decision was made. More generally, the DARPA budget in information assurance research appears to be trending downward without a corresponding increase in funding from other agencies. This is a source of concern given the gravity and magnitude of the current national vulnerabilities. From James Lewis: Thereís a big debate now within the government and particularly within DOD as to how to interact with open source software. A decision on Open BSD would reflect this. Some people say the government should not support open source because it is unfair competition with the private sector, others say open source is crucial because itís more secure. Iíd note the NSA is continuing with its work on Secure Linux but the policy debate needs to work through a whole set of commercial, IP and security issues.

Dear FRONTLINE,

The recent shift in IT jobs overseas to countries with views counter to the US, do you believe that this poses a significant increase in risk? Where the code for applications being run in major US companies and government agencies being developed outside of our eyes by individuals who have the means and knowledge to place malicious code directly into these applications I feel this is a major risk that CIOs here are overlooking to save a few dollars in the current economy. How do you feel about this?

boston, ma

experts respond: From O. Sami Saydjari: Absolutely. Outsourcing software development overseas increases the risk significantly. At the same time, we should also understand that there is still significant risk with software development in the United States due to the possibility of insiders placed by adversaries. We must develop systems to withstand the possibility of such internal subversions.

Dear FRONTLINE,

I am a VP at a major national insurance broker and have been involved in insuring cyber risks. This invovles, in many cases, assessments both online and in the real world. Many of the findings are that networks are very vulnerable. Those that have sufficient security are able to purchase insurance against virus, unauthorized access (both from employees and outside hackers), DDOS etc. I would appreciate your thoughts on this aspect. Things burn so companies purchase fire insurance, is the same logic true for cyber attack?

Brian Brown
atlanta, ga

experts respond: From O. Sami Saydjari: Yes, exactly. Cyberspace insurance would be purchased to limit the maximum damages incurred from an attack and would based on some minimum acceptable level of protection employed by the system being insured. As technology improves, that standard will hopefully get higher over time. From James Lewis: It turns out to be hard to quantify risk (so far) on cyber security. Insurance companies have good data on fires, car accidents etc that allow them to predict how likely an accident is to occur and what the likely cost will be. We donít have the same actuarial data on cyber, in part because companies conceal damages and in part because damages can be hard to quantify. The other side of this is that for things like fires, insurance companies have good data on how certain actions reduce risk. A building owner installs sprinklers and this lowers the risk of fire damage. We donít have that same level of knowledge for many network security steps ń you can do everything in the ISO standard and still have problems. Finally, many companies self-insure for many cyber risks, because both the probability and the damages are so low. I think this means we will see a few years of trial-and-error until enough data builds up that allows insurers to offer attractive products.

Dear FRONTLINE,

The topics in the show are scary but now some laws may make the private sector afraid to create new tools if it makes them liable. Including one that make the Nimba worm you mentioned have one less programmer trying to stop it.

What is your opinion on the latest DMCA laws that have been enacted in some states, effectively making firewalls and Network Address translation routers illegal due to their poor wording. here's a snippet from e-week.

One of the common aspects of these laws is that they make illegal any device or program that can "conceal or to assist another to conceal from any communication service provider or from any lawful authority the existence or place of origin or destination of any communication." Aside from LaBrea, this makes a whole set of common IT programs and hardware illegal, from firewalls to VPNs to privacy applications.

http://www.eweek.com/article2/0,3959,1033071,00.asp

James OHara
westborough, ma

experts respond: From O. Sami Saydjari: While I favor protecting intellectual property, I think DMCA is ill-concieved for the reasons you say. From James Lewis: DMCA is a good example of unintended consequences. People worry that it (and other IP protection laws) will reduce research into improved computer security products. There is some evidence that at least initially, DMCA was having this effect. Laws like DMCA and the digital rights management (DRM) technologies that are being designed to provide IP protection could end up reshaping the Internet into something less useful if we arenít careful in how they are implemented (IP protection is important, but it has to be done in a way that balances protection with access and user rights). The best thing to do may be to point out when IP protection legislation has the effect of damaging network security efforts, as legislators seem willing to take security into account. The other thing to think about is whether these laws should have ësunset clausesí so that after a few years weíre forced to rethink them to see if they work.

Ý

homeÝ:introductionÝ:ÝinterviewsÝ:Ýexperts' answersÝ:ÝfaqsÝ:ÝvulnerabilitiesÝ:Ýwarnings?
discussionÝ:Ýreadings & linksÝ:ÝmapsÝ:Ýproducer's chat
tapes & transcriptsÝ:Ýpress reactionÝ:ÝcreditsÝ:Ýprivacy policy
FRONTLINEÝ:ÝwgbhÝ:Ýpbsi

published apr. 24, 2003

background photograph copyright © photodisc
web site copyright 1995-2005 wgbh educational foundation

Ý