Practically every business, social institution, government agency and family relies on cyber systems for the smallest routines in every phase of daily life. These individual computers and networks are considered prime targets for attack and, worse, are vulnerable to serious interruption by terrorists operating from remote locations.
The consequences would be incalculable. In one way or another, large portions of the country could be struck electronically deaf and blind if key links were successfully cut. Commerce would be seriously impeded and critical human services and activities would be curtailed.
Since arrival of the dreaded nuisance "hacker," or the electronic era's equivalent of a common burglar, government and corporate IT communities have been working overtime to perfect impenetrable walls that safeguard billions of daily electronic commands that pulse through workaday America. The ultimate question is, if self-taught hackers can bedevil industry with attacks, what could more sinister paramilitary and geopolitical hackers do?
CELLBLOCK TO BOARDROOM
One who has probed cyber system firewalls and found them wanting is Kevin Mitnick, the infamous hacker once regarded by federal law enforcement and high-tech industry as history's most- wanted computer criminal.
Now free after eight years of federal prison and supervised release, Mitnick ironically could be a valuable tool in fighting telecomm terrorists with his hacker secrets. He wouldn't be the first ex-criminal to legally trade on his notoriety: in 1970, the 1930s bank robber Willie Sutton did a television commercial for a New Britain, Conn., bank's new photo credit card.
As a teenager, Mitnick, now 39, started on his criminal career by outwitting telephone company security systems. He then graduated to purloining software of major corporations, including major electronic manufacturers. "Systems are extremely vulnerable," Mitnick says. "If I as a young adult was able to compromise any Bell operating company, what can a well-funded adversary do?"
He claims that with "a laptop and access to a phone line, I could take down an entire telecommunications infrastructure." Confirming Mitnick's estimate of vulnerability, Larry Ponemon, chairman of Tucson-based Ponemon Institute, told The New York Times that "criminal activity on the Internet is growingnot steadily but exponentially, both in frequency and complexity. Criminals are getting smarter and figuring out ways to beat the system."
The British computer security firm mi2G predicts that worldwide hacker attacks in January totaled 20,000, up from last October's previous monthly record of 16,000.
Hacking, spreading so rapidly and destructively, has spawned a new industryhacker insurance. New York City-based insurer American International Group Inc. claims a 70% market share of a $100-million-a-year business, which experts predict will grow to $2.5 billion by 2005. Premiums are dear, typically in the range of $1 million per $25 million coverage.
Mitnick now has gone straight and created a company, Defensive Thinking Inc., Thousand Oaks, Calif., that offers corporations guidance on thwarting hacker attacks. He also lectures and is producing a training film. In Mitnick's estimation, the most serious weakness in U.S. corporate telecomm security is the "human factor." Gullible company employees often unwittingly comply with a glib hacker. The perpetrator usually poses as a fellow employee, requesting sensitive cyber information for computer access. Mitnick has a term for the smooth-talking con-job technique: "social engineering."
In his autobiography, The Art of Deception, Mitnick provides a veritable manual of secrets from his successful hacker conquests, a how-to guide that corporate security departments might well include in their libraries. Industry IT chiefs haven't been asleep. Across the nation, anti-hacker work is apace.
John W. Richardson, manager of Internet security technologies at Santa Clara, Calif.-based chipmaker Intel Corp., says, "I see many weaknesses . Some are in the physical worldcut a few cables and entire cities could become disconnected. Eliminate some major switching centers and there are significant outages for a long time."
Firewalls, Richardson says, "can offer a false sense of security." He estimates that while 80% of Internet traffic is legitimate, half of the remaining 20% "is clearly malicious. We get gigabytes of attack traffic every day."
Consulting engineer CH2M Hill Cos. is deeply involved in vulnerability assessment of IT infrastructure, both in-house and as a revenue-producing service for its customer base, says Jeff Akers, president of the Englewood-Colo.-based firm's communications group. Akers identifies the IT components of water, communications, transportation, utilities and energy operations as a prime target for terrorists.
Although electronic security is a hot new market sector for many firms, others have been at it for a long time. Science Applications International Corp. Senior Vice President John Casciano says the San Diego-based research and engineering company has included technology-based and communications security measures in its toolbox since its founding 34 years ago. One of SAIC's biggest information security customers is the federal government.
Casciano rejects using reformed hackers in security preparations. "One-time hackers may make an interesting story and constitute a unique approach to advertising, but we find trained, professionally certified practitioners to be more valuable to our customers," he says.
For Black & Veatch, the Kansas City, Mo.-based global engineering, construction and consulting firm, Chief Knowledge/Technology Officer John Voeller believes "hacking protection against terrorists is a minor extension of what every enterprise should be doing." Although he believes terrorists probably would target cyber firms with high visibility, "because we are all so heavily connected via services..., an attack on one is likely an indirect attack on many."
Voeller classifies "highly visible sociopaths" as much of a threat as anti-U.S. terrorists. He says greater attention now is given to systems' disaster recovery techniques as well as having outside audits of a firm's security preparations.
While some firms proudly tout their expertise in cyber security, others decline to discuss the subject. Katrina Puett, spokeswoman for Washington Group International, Boise, would say only that "for security reasons, we don't comment publicly at all on precautions we've taken to protect any of our corporate assets."
The same is true of international nuclear engineering firm Framatome ANP, Lynchburg, Va. Company spokesman Phillip Carter says that the company is active in cyber security, but would not offer details or comment further.
IT Takes a Thief, Maintains Reformed Hacker He was reviled as "the most wanted computer criminal in U.S. history," but idolized by some in the Information Technology culture for his daring. Now, notorious Internet hacker Kevin Mitnick is a free man in a world that, ironically, might use his once-criminal know-how to deal with the menace of international techno terrorists.
The parallel between Mitnick and a classic Hollywood fictional film figure is inescapable: He could become a living incarnation of debonair Cary Grant's film character, retired cat burglar John Robie, in Alfred Hitchcock's 1955 film, To Catch a Thief. Reformed Robie uses his abandoned criminal skills to catch a real nocturnal roof-crawling Monte Carlo jewel thief. Felon-turned-citizen Mitnick has laid the groundwork to join the national effort in protecting the homeland telecommunications infrastructure. As a been-there, done-that expert, Mitnick should know how to foil terrorists from hacking into vital corporate and government telecommunications structures. He says he met recently with two men from the Commission on National Security to share his illegal hacking techniques. Mitnick, now 39, slimmed down and chastened by rigors of the justice system, was imprisoned for five years and thereafter placed on three years supervised release. His criminal burgling of computer software programs was legendary. The hit list included Motorola, Novell, Nokia and Sun Microsystems. Nothing was too secure for Mitnick's touch: passwords, personal information and sensitive corporate data. He cracked computer security and rummaged at will. While fleeing capture, Mitnick even managed to crack the computer files of the lead Federal Bureau of Investigation agent who was on his trail. Mitnick's cat-like ability to elude capture for three years transformed him from common fugitive into celebrity among some hackers. The chase ended with his 1995 arrest in a Raleigh, N.C., apartment, far from his Thousand Oaks, Calif., home. In tribute, fans created a "Free Kevin" Website for messages from the confined PC virtuoso. One Internet chat room participant called him the "Jesse James of the IT age." At 12:01 a.m. on Jan. 21, the Website was reworded from "Free Kevin" to "Kevin Free" as he ended federal supervision. A giddy Mitnick showed up live in Tech TV's studio to log on to the Interneta simple daily task for millions of PC users, but a prohibition for Mitnick under terms of his probation. Another admirer, Apple Computer co-founder Steve Wozniak, presented him with a new titanium G4 computer notebook. Not everyone considers Mitnick a noble, high-tech Luddite or Robin Hood. John Markoff, a New York Times technology reporter who chronicled Mitnick's escapades, describes him as a common "con man" who pilfered Markoff's e-mail files. The enmity is mutual: Mitnick claims that Markoff's reporting libeled the cyber-sleuth. "I stand by my reporting," says Markoff. Mitnick's climb to infamy began in his preteen years when he developed his first crude scam: using only one paper transfer to ride Los Angeles buses all day for the price of a single fare. In time he rigged pay telephones to make free long distance calls. He also turned to "dumpster diving," scavenging for carelessly discarded office files that unlocked computer data. Ultimately, he perfected the con man's smooth spiel, a technique he calls "social engineering." In his autobiography, The Art of Deception, Mitnick ticks off one anecdote after another of how he artfully and glibly assumed various poses to inveigle and cajole secret company information from gullible employees so he could access and pilfer data from computer systems. His most maddening trick, victims would discover, was "spoofing," engineering a user's computer to perform boomerang-like destructive functions. He also cracked Signaling System 7, the communications protocol for digital telephone networks, and manipulated it for his own ends. Illegal and destructive as they were, Mitnick's skills nevertheless bore marks of genius. Author Jonathan Littman in his book, Fugitive Game, says Mitnick practices "technical wizardry with the ages-old guile of a grifter." Today, Mitnick says, "I want to live the American dream: Have a career, take my expertise and make a positive contribution with my knack for information security. My values have changed." Settled in with his longtime girl friend, Darci Wood, Mitnick has been fielding a deluge of media interviews, mulling a new book and discussing with Oscar-winning actor Kevin Spacey a corporate anti-hacking training film. His company, Defensive Thinking Inc., Thousand Oaks, Calif., provides IT security counseling. He's also debunking myths. He denies that he broke into national security systems, and denies that he's the model for the movie "War Games," in which a teen hacker playfully triggers a military computer to launch a nuclear war. Perhaps cooling his heels all these years was worthwhile. He's auctioning three dozen personal belongings on eBay, from three "Free Kevin" bumper stickers ($25 bid) to a laptop seized by the FBI ($5,200 bid). His asking fee for lectures and speeches is from $10,000 to $20,000 each. And this was bound to happen: Mitnick's company Website (www.defensivethinking.com) was defaced by friendly hackers who left a message: "Welcome back to freedom." Says an amused Mitnick: "What goes around comes around." |
Click below to view more articles from this special report >>
BUILDING FOR A SECURE FUTURE
OVERVIEW
STRUCTURAL PROTECTION
INFRASTRUCTURE
COMPANY PROFILE
PORT PROTECTION
RISK ASSESSMENT
SECURITY PRODUCTS