Is it really possible to devise protection for the infrastructure of the
Well, yes. But I want to make a distinction here. I don't know that you can
totally secure something within the internet. . . . The internet, when it was
originally designed, was designed to be open. And now we are trying to protect
it in the way that you can close all the doors, and by its very nature, it
won't happen. Not in the foreseeable future. Maybe never. So what you have
to be able to do, if you are concerned about protecting a particular system . .
. is to put obstacles in the way of someone who wants to get access to it. . .
But there's no way of being on the internet that's not risky?
No. You cannot build a wall around your computer and assume it will never be
attacked, or that it will be protected totally, unless, of course, you're
connected to nothing, and you lock it in a room, and never use it. . . .
If I am on the internet, what are the chances that I am vulnerable to some
kind of an intrusion or loss?
Well, I would almost say that there's a 100 percent chance that you're
vulnerable. The internet itself is vulnerable. You are vulnerable, no matter
where you are on the internet. . . .
All this additional risk to the integrity and the security of people's
information and their assets has raised some pretty interesting new thinking on
liability questions. Who is ultimately going to be responsible in the case of
I think liability is a very real issue, and probably one of the greatest
driving forces that we're going to be dealing with in the next few years. . .
. What we also see now is government regulation coming out. If you take a look
at Gramm-Leach-Bliley Act,which is the banking finance law,
and the proposed Treasury regulations, they are putting responsibility on
boards of directors and managers to risk-manage proactively, and very
extensively. And when you take a look at the law and the regulation, it may
raise the bar with regard to liability for CEOs and boards of directors who
want to protect the information. . . .
What are you learning about the security of the system from tests that have
been ongoing? What do we know about that overall condition of security?
The strongest recommendation of the President's Commission was-- and that is
right now--that the most pressing concern is education and awareness. When you
go in to all of these systems, you're finding out that, yes, people had
patches, but didn't know how to install them, so they didn't install them.
They don't have the necessary resources. . . .
Are you really saying that what we are learning from the tests we're doing
that it is a very insecure place?
Oh, absolutely. And one of the reasons it's insecure is people don't know what
they're doing in many cases, and the people that you do have don't have the
training, education, awareness, etc., to protect the system you have.
Is that just an inherent set of circumstances that we buy with the
technology, or can we do something about that?
I don't know that it's inherent. I think we can do something about it, and
that's what the President's Commission report was all about. . . .
Once people understand, once we understand the internet, and once we understand
the consequences of our act when we take a laptop home and we take a computer
disk from work, and we load it at home, and maybe take it back . . . then we
have a better way of dealing with it. . . .
If you're asking me, "Can we evolve or can we develop this so that you have the
ability to make it so that no one can break into anything?" I don't think that
will ever happen. So you can't make it that secure. But you can make
it secure, in the sense that, as people become aware of security practices and
how the system works, you can protect the information that you want to protect
by making conscious decisions.
How big a problem are hackers?
. . . I find hacking an interesting development in understanding the system.
All of these hackers that we deal with today were growing up on the internet
when it was more open. Ten, fifteen years ago, they were at home on their
computer, playing. And most of us learned what's right and what's wrong from
our parents. They tell us, "Don't put your hand on the stove or you'll get it
burned," or, "You shouldn't tell a lie." . . . That didn't take place on the
internet. So a Lord of the Flies-type of environment was created there,
because there were no restraints. No one looking over their shoulders to tell
them what's right and wrong. And now we have industry coming on in, and
saying, "We need to make this secure and you shouldn't do this because it hurts
others." And that creates a problem for the hackers that are out there,
because their sense of what's right and wrong is different than the sense of
what industry believes is right or wrong. . . .
Hackers are a problem, for business and for my personal use of the internet,
because they raise the cost of me having access to it. It raises the cost of
doing business, and that's a concern. But on the other side, young hackers
have a problem, because we're taking away something that they feel, at this
point, is theirs--something that was open and free. . . .
What do you think of these hackers? What do you think of these
counterculture people who think that you're a big bully, who think that your
company is going to steal democracy out of the system?
I think again, with them, it's an education and awareness. I think what you're
dealing with here is that we are moving in on what they consider their
territory, and we have to find an accord to educate them. Because right now,
industry does have, and we, the American people, do have a valid stake in this,
and they have to make room to play. And until they all can use it effectively,
until we can educate them as to what should and shouldn't take place, it's a
problem. It's a problem, because to catch one young hacker probably takes the
resources of 30 or 40 government individuals, or private sector individuals,
four to five man-weeks, and what are you going to do? Are we ready to drop the
hammer on a 17-year-old, 13-year-old, 15-year-old, when we really don't have a
lot of guidelines as to what they should or shouldn't have been doing?
And you're not entirely sure whether he's really out to get you, or is he
just playing around?
That's true. In many cases, the ones we catch are the ones that are playing.
. . .
What kind of an impression have they individually made on you when you find
and meet one?
They're very interesting people. I find that as you get to know them and you
garner their trust, they will give you their trust if you have a sincere
interest in what they're doing--and I do. They share with you what they've
done. They're willing to tell you what they do, and how they do it, because
this is their life, and it's a solitary life. When you spend hours and hours
in front of a screen, hacking, or whatever it is that you're doing on the
system . . . you're there alone. And when someone actually walks in . . . they
finally have someone to talk to, and they want to be recognized for what
they've accomplished. But I don't think they're going to be different than the
rest of us. It's just driven by different life experience, and that they've
spent so much time in front of the screen. . . .
Is iDefense a private sector spy agency, a private sector police agency, or
a New Age consulting company?
Well, I like the last alternative--a New Age consulting company. . . .
What specifically do your clients come to you for help with?
They are primarily coming for us for information concerning the threat to their
businesses. . . . Like viruses. For example, the "Melissa" virus was
active in Europe for some eight hours before it came over to the United States.
That eight-hour warning would have allowed the companies who can't afford the
loss of a system because of that virus to disconnect the system until a patch
was provided . . .
[Our clients are] concerned about someone breaking into a system if there's a
disgruntled employee. . . . Are they being targeted? Is there some active
group that has a some stated focus--like they're interested in protecting the
environment, they're interested in protecting this or defending that Are they
mad at me? Are they talking to hackers to see if they can attack as a matter
of social protest? All of that has become very real today in this environment.
It doesn't take long to take down a web site, or to do a denial of service
attack. . . .
When something comes down, when somebody is badly hurt, who ultimately is
going to be held liable for that?
I don't know. And that's why liability is such a real concern today. If I
were to break into your system, and use that to go downstream to another
system, there's no clear-cut law saying that there's liability on your part.
You only have an obligation to protect the records for your client base, and
for your customers and for your corporate owners. There's no real
responsibility downstream, since you have not actively done anything. But that
doesn't mean that, as the bar is raised, as the business practice says
everybody should have a certain security and you don't have that implemented on
your system, that tomorrow there won't be an issue of liability, because you
didn't have that in place. . . .
Knowing what the industry is doing allows you to address those liability
issues, because if you're doing what the state of the art is, or what the rest
of the industry is doing, you're using a legal standard as a reasonably prudent
person, and there shouldn't be liability. . . . While there may not be
liability today, if you act openly and with wanton disregard of things that you
could implement down the road, you may find a judge that says, "Well, you
should have done it." So knowing what's going on . . . and knowing what
everybody else is doing is really key to whether or not there's going to be
liability for you today, and maybe liability for everyone else tomorrow. And
we're talking big dollars here. Because in the loss of a system, if people are
doing an internet business, one attack where they exploited your system could
easily cost you $10 million or $30 million, if that loss can be proven and
established. . . .
I do know that the courts are not really prepared to look at the damages issue,
and how you define damages is unclear. But there are big numbers being thrown
around. If I remember correctly, going back a year or two, when Kevin
Mitnick was sentenced, Wired magazine ran an article, pointing out
that two major corporations said they lost literally millions, $20-plus million
each because of the actions he took. And if someone has to pay for that, the
lawyers will find a way to come up with creative reasons why someone should
pay. . . .
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2013 WGBH educational foundation