homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

interview: michael vatis

photo of michael vatis

At the time of this interview, Vatis was the Deputy Assistant Director within the FBI National Security Division. He served as the Chief of the National Infrastructure Protection Center. He resigned from this position in February 2001. Prior to his work at the FBI, he was Associate Deputy Attorney General, Executive Office for National Security, (1994-1998). In this capacity, he advised the Attorney General and the Deputy Attorney General on national security matters, and coordinated the Department of Justice's national security activities.
What sort of resources are you bringing to bear on the problem of protecting the national infrastructure?

The National Infrastructure Protection Center (NIPC) has approximately 90 special agents. There are also analysts . . . from the FBI and then approximately 20 other people from other government agencies--the Department of Defense, the CIA, the National Security Agency and other departments, as well. In addition to that, we have approximately 193 agents located in FBI field offices around the country who are the on-the-ground investigators for computer crime cases. In addition, we have equipment of all sorts to help us to the technical side of an investigation.

What's the budget for NIPC?

The budget for personnel, headquarters and equipment is approximately $14 million.

And are you able to keep up?

The crime problem is growing considerably, and it's growing very quickly. I think it's very important that we get additional resources and that we devote more manpower to this issue, because the crime problem is growing so fast. We've seen a doubling of our caseload in the last couple of years, yet our resources have stayed static.

What sort of cases are you dealing with?

Well, I can't talk about any pending investigations. But we have cases that really run across a very broad spectrum. We have cases involving insiders, who are basically out for revenge against their employer or former employer, and they make off with proprietary information or try to damage the system as an act of revenge. We've got individual hackers, often juveniles, who deface web sites or break into systems just for the sake of acquiring bragging rights in the hacker community. We're also seeing a big spike in the number of cases involving organized criminal groups who are in it for illicit financial gain. They steal credit card numbers so that they can re-sell those numbers or steal money, like transferring bank account funds from bank accounts into their own accounts, and steal proprietary information.

We're also concerned about the prospect of cyberterrorism--not the often over-used term to refer to any sort of hacking--but violent activity carried out through cyber means. We're concerned about the shutting down of critical national systems, such as electrical power or banking systems or telecommunications by a terrorist group that's seeking to intimidate the US government into doing something or to refrain from doing something that they don't like.

And of course we're also worried about the prospect of information warfare, which is the foreign military using cyber techniques to shut down critical systems much like a cyberterrorist would, but as an element of warfare.

What evidence is there that organized crime has moved into this area?

Well, we have a number of cases now pending in which groups of people, some in the US and some abroad, are engaged in hacking to get into systems. They want to steal information or to steal money or to carry on an extortion attempt. They contact the owner of the system and basically say, "If you don't pay me a certain amount of money, I will make public the vulnerabilities in your system," or, "I'll make public certain proprietary information or credit card numbers and damage your reputation." We have many cases now that fall into that category.

And what is your success rate compared to the amount of crime that you think is out there?

Our success rate has really increased a lot over the last few years. We've had a great success in tracking back people who have written very damaging viruses, such as the "Melissa" virus or the "I Love You" virus, or the juvenile who launched most of the . . . denial of service attacks in February of this year. We were able to trace him back with the very capable assistance of the Royal Canadian Mounted Police, who investigated within the borders of Canada.

There's been a romanticization of hackers in the past as people who weren't really engaging in crime somehow, but who were just testing their skills  at pointing out vulnerabilities. Are you seeing evidence of terrorists?

We've seen terrorist groups begin to use information technology in a very robust way. They use it for secure communications. They use it for propagandizing. They use it for fundraising. We've also seen a focus by terrorists in the last few years on infrastructures as targets, seeking to disrupt civilian-owned systems that are crucial for a nation's economy. We have not yet seen a sophisticated cyberterrorist attack that combines those two things--the use of information technology to focus on the computers that run an infrastructure system. But I think it's something that really is a matter of time before we see it, because the trends are taking us in that direction.

Is there a profile of the [computer-related] organized crime?

. . . We are seeing organized groups engaged in criminal activity around the world. . . . We had one group called the Phonemasters, investigated by the FBI's Dallas division, which was a group of hackers who stole telephone calling card information and then re-sold those calling card numbers through a chain of international intermediaries . Some of those numbers ended up in the hands of what we would traditionally consider organized crime in Europe, in Italy in particular. . . .

Given the vulnerabilities on the Net, I'm slightly surprised that the organized criminals didn't go there earlier.

I think a lot of the focus in the popular imagination in the media has often been on individual hackers. There's been a romanticization of hackers in the past as people who weren't really engaging in crime somehow, but who were just testing their skills at pointing out vulnerabilities. But as e-commerce has taken off in the last few years, I think people are realizing that hacking it damages systems, or that exposing vulnerabilities can cause real economic harm. . . .

It's generally believed that the juveniles and hackers are getting caught because they're bragging, because they're boasting about it, whereas the more serious criminal is not, and hence is much more difficult to catch. Is that still the case?

I think we have seen a number of instances where hackers have been caught in part because they bragged about their exploits in chat rooms. But we are also seeing a growing degree of sophistication, and certainly someone who is in it to try to steal money or to steal sensitive information is not going to be bragging about his exploits. And clearly, the more sophisticated one's skills are, the more difficult that person is to catch.

In addition, the international aspects of this problem, the fact that a bad guy can loop his attack through many different countries and many different systems, makes catching cyber criminals much more difficult than analogous investigations in the physical world. We have to rely on the actions of international law enforcement agencies. We have to rely on their having the right laws in place and the right investigative skills. And it becomes a very time-consuming process to work through the international legal assistance regimes. . . .

Are you still investigating the so-called "Mafia Boy" distributed denial of service attacks in Canada?

That is still a pending investigation, and since the prosecution has not taken place yet, I'm limited in what I can say. But obviously the individual known as Mafia Boy has been charged in Canada with many of the distributed denial of service attacks that we saw in February, and the related intrusions that allowed him to carry out those attacks. He intruded into universities and other systems in the US and other countries, and implanted malicious code on those systems. He then used those to attack his ultimate targets, such as CNN, eBay, Amazon.com and Yahoo. There are some other attacks, and the prosecution is still pending. So in that sense, the investigation is still pending. But we are satisfied that the Canadian authorities have a very strong case against Mafia Boy.

Is he the only one who conducted those attacks? He did them all?

There were other attacks, and we have other people under investigation for some attacks. So we have not said that he is responsible for all of the attacks.

In the spectrum of crimes that you've been dealing with, how serious was Mafia Boy?

It was a serious incident. He knocked e-commerce sites offline that depend on customers and potential customers' ability to get into a web site for their business activities. It knocked several new sites offline such as CNN.com, which depends on advertising revenue, and that depends on how many eyeballs their system gets in a given day or hour. So knocking those sorts of sites offline for even a couple of hours can have a very severe financial impact on a company.

It also has a broader impact in undermining people's confidence in e-commerce. As we're beginning to see this huge growth in commercial activity online, people's confidence in the security of those transactions is very important. On an even broader note, I should say that the possibility of similar sorts of attacks is still a present concern. The vulnerabilities that were taken advantage of in February are still present. People can still get into systems and use evolving denial of service tools to carry out those same sorts of attacks. That's why, in the last 10 days, we've issued two additional advisories about some new trends in the distributed denial of service area. . . .

Given the whole problem of the vulnerabilities of the internet, can you rate the software in most people's computers in terms of security?

There are a couple of different levels of the problem. There is the state of the security that's built into the software that's used. And then there's also the issue of how that security is implemented. The most common and simple example is that people often have password access to certain files or to their email system, and yet they use a password that's easy to figure out. They don't use letters and symbols and numbers all mixed together. They use their favorite word or a name or something that's easy for someone to guess . . . . So we have to make sure that the security that is available is implemented properly. But we also need to improve the security software that's integrated now into the off-the-shelf packages that people buy.

Hackers are always complaining that the problem is the software companies, Microsoft and others, have not really taken security seriously enough in the past. Would you generally agree with that?

I think it's true that security has been, at best, an afterthought. But I think we've seen change in recent years because of the incidents that we've seen over the last two years, and the fact that security is so important to e-commerce. . . . Now that people are trying to engage in commerce online, security is a very big concern. . . . I think now that the market is beginning to demand better security, we'll see a response from the manufacturers, and that will inevitably lead to a stronger foundation for security across the board.

How important was Curador in the great scheme of things?

. . . Curador, or Raphael Gray, was someone who was able to hack into systems and steal in the vicinity of 26,000 credit card numbers. That's a significant crime, obviously, and he did it in many different countries. But the skills that it takes to engage in that sort of crime are not that great. And I think it's indicative of the level of security that a lot of web sites had at the time--and still have--that enable people to break into them. So we have other cases that are very similar to that in nature.

It's sort of an image of our times, isn't it--a 16-year-old geek in his bedroom hacking away and inviting the wrath of the state on him. It doesn't necessarily look well upon the FBI, ultimately, that you're running around knocking on the doors of teenagers all over the world.

We investigate crimes that are reported to us. And when we follow the trail back, we will act appropriately, regardless of the age or the location of the perpetrator. And so I think the image has been somewhat misleading to people, because it suggests that this problem is really one of individual young hackers. In fact, we are focused on a much more worrisome part of this problem. We are really much more concerned about some of the organized threats from foreign countries engaged in intelligence gathering, or preparation for information warfare from terrorist organizations. They will use these tools to commit violent acts against critical infrastructure systems, and organized crime groups, who really want to steal money or valuable information.

. . . But I guess the problem the public is still having is that there hasn't been a terrorist incident as far as we know. Other than Phonemasters, there hasn't really been a successful organized crime bust in cyberspace.

I think we just recently had a very good example that disproves that notion. We've had two subjects from Kazakhstan who were engaged in an intrusion and extortion plot against Bloomberg LP. And that case was successfully investigated because of close cooperation between the FBI and authorities in both the United Kingdom and Kazakhstan. That case involves a number of subjects, who are engaged in a traditional organized crime activity--extortion--but they carried out through cyber means. So I differ strongly with the notion that we haven't had successful organized crime investigations. We've had quite a few.

What is your greatest fear? When you look at the internet and at the interconnectivity of the world, what is your greatest fear?

My greatest fear is that the level of vulnerability is still so high that we are really open to a devastating attack on a broad scale against the computer networks that run vital systems, such as our electrical power systems, government operations, the banking and finance system. . . . And another significant challenge for us is dealing with espionage. The "Cuckoo's Egg" case, which involved the KGB hiring hackers to break into U.S. Defense Department systems, is now a 14-year-old case. I think if hostile intelligence services were engaged in that sort of activity 14 years ago, it doesn't take a great leap of the imagination to imagine what some of those sorts of intelligence services might be doing or planning to do today. . . .

What does the future hold? Can we fix this problem?

I think we can fix the problem. I think that, in the near term, we might see the problem get worse before it gets better. There's a power curve, and right now security is behind the power curve, because it takes some time for good security products to be put out there and integrated into networks and operating systems. And I think we need to make sure that the government has the resources in place to investigate crimes and, more importantly, to get information and get warnings out to try to try to prevent crime before it happens. That's really our number one consideration. But I think we will see an increase in the number of crimes being committed on the internet before good security is ubiquitous.

That raises the process of private police or Pinkertons of cyberspace. There's a huge growth in private security companies. There must be a temptation among them to just go and take action, whatever action, themselves. Does that concern you?

. . . What's most important is that, as people get into the security business, that they realize that this is not an area where the private sector can go it alone. If we're going to deter people from engaging in computer crime, we have to have an effective law enforcement response. That means that victims really need to report to law enforcement so that we can catch the bad guys, punish them appropriately, and deter other would-be bad guys from engaging in the same sort of activity.

Some critics say that government just can't move fast enough, that it's a big bureaucracy, that it's a huge infrastructure in and of itself. They say that it just isn't going to be able to keep up with the crime.

Well, there are certainly challenges to bringing the government around to deal with this sort of fast-evolving environment. But look at the track record that we've established in the two and a half years since the NIPC was founded. We have created a program in the FBI and for the federal government as a whole that is now capable of investigating some very complex international investigations. And I think the speed with which we are able to investigate things such as the "Melissa" virus, the "I Love You" virus, the distributed denial of service attacks, the Bloomberg extortion, the Curador case and on and on and on shows that we've made a tremendous amount of progress in a very short time.

But we can't sit on our hands or rest on our laurels, because the problem continues to grow. And it's imperative that the executive branch of government and the Congress realize that we need to keep making progress, that we need to put more resources into this area to make sure that we can stay at the cutting edge.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation