The Changed World
An Interview on Cyberterrorism with Paul Strassmann
By Bill Clark, BusinessOnline Asia
You could be responsible for bringing down the Internet. If you don't believe us, listen to Paul Strassmann, an expert on information warfare, computer security and other information technology issues. He has worked with multinational corporations and the US Department of Defense.
BusinessOnline Asia interviewed Strassmann by telephone in early October, to find out what threat terrorists pose to your business. He has good news and bad news to share.
What is cyberterrorism? How would you define it and how is it different from corporate espionage, information warfare and what we would call "hacking"?
Hacking is a crime - often a petty crime, malicious or deliberate fraud. Cyberterrorism is an extension of terrorism - a terrorism by other means - and it takes advantage of the fact that our society is increasingly becoming dependent on computer networks and, particularly, dependent on the Internet. Cyberterrorism, as with any other terrorist acts, are acts of carefully planned violence where a small amount of effort, usually hard to identify or catch, is applied to interfere with the functioning of civil society. Cyberterrorism is applied to mostly civilian information infrastructures with the ultimate objectives that are either ideological or political, but mostly political. Cyberterrorism doesn't stand by itself and is not an isolated phenomenon. It is part of a much larger scheme to undermine the operations of a technologically advanced society and its primary target is likely to be the USA.
How real a threat is it right now?
There's many ways of judging the severity of such threats but the primary target for cyberterrorism is the Internet. Its most attractive objective is to bring the Internet down, since increasingly, all commerce depends on Internet-based transactions. The cyberterrorism threat is real because we have already experienced experimental acts of cyberterrorism when a large number of Internet-connected computers have ceased to function.
As if to demonstrate the poor reliability of the global web of communications infrastructure that much of the world's commerce relies upon, the telephone line goes dead. After several attempts, a connection is re-established between Singapore and Strassmann's office in New Canaan, Connecticut. Strassmann takes up again where we had been interrupted.
The feasibility of cyberterrorism bringing down the Internet - principally by means of "denial-of-service" attacks - is what I wish to concentrate on in this interview. The technical feasibility has been already demonstrated, at least partially, in a series of attacks like Code Red I, Code Red II, and Nimda [three recent computer virus outbreaks]. Each of these attacks exploited a known software weakness in one of the millions of servers and workstations connected to the Internet. Such weaknesses can be exploited to create what's called "cascading failures", which is a self-replicating failure that induces further failures. So far such failures have been limited to only ten thousands of sites. When the cyberterrorists will approach the study of Internet weaknesses in a planned and concerted manner, and if they devote substantial resources to such pursuits, they can continually experiment with more and more potent ways of creating denial-of-service failures. The chances are that any such attack would be is well thought out and a contributory campaign in an otherwise concerted act of cyberwar.
The idea of bringing down a massive failure of the Internet by flooding it with self-replicating transactions has been already demonstrated on a sufficiently large scale to make such an eventual global threat credible. For instance, the FBI has posted a listing of the top 20 most dangerous known deficiencies in existing software. It just happens that most of such defects are mostly attributable to fundamental weaknesses in Microsoft software, because Microsoft is so pervasive and so thoroughly infused by multiple known weaknesses. Therefore, it is conceivable that at a given level of sophistication by the attackers a simultaneous exploitation of five, six, seven, or eight weaknesses could create a cascading chain reaction that overwhelms the capacity to carry the traffic and thus bring the system crashing down.
Reports of a US National Security Agency experiment, called Eligible Receiver, showed vulnerabilities in military and civilian information technology infrastructure as early as 1997. We may have thought the Internet is unreliable but that these other systems were more robust. Are we being complacent?
I think you have to be analytical about assessing the probabilities of risks as well as they may apply in specific situations. You have to look at what dependencies any one institution has on the Internet and then, case-by-case, decide whether such a dependency creates a vulnerability. That cannot be generalised, it has to be very specific. For instance, if you have an US Army supply logistics system which depends on automatic re-supply through electronic commerce and if that is Web-based, then you will certainly have to put a question mark against its vulnerability and dependability.
The same applies to Singapore. Your country prides itself on possessing a sophisticated system upon which much of your commerce is based, particularly your port controls, which is your life-blood. The extent to which your port clearance system (which I reviewed a couple of years ago) is vulnerable because it is dependent on systems that are hosted on the Internet is a matter that warrants a thorough examination. Even if you operate your Internet connections via virtual networks, that may not help you either because denial-of-service would most likely saturate the switches and routers that handle the transactions. Under such circumstances whether you have a virtual network or not would be immaterial because the switches and routers would cease to function when overwhelmed by traffic.
So it's irrelevant how secure your data are because they cannot move?
That's right. There are other forms of cyberterrorism such as database attacks and database corruptions, which are not only more difficult to execute but probably, also require the participating by a corrupted insider. Nevertheless, for the purpose of this interview I want to concentrate on the clear and present danger, which carries the highest risks, which is denial-of-service.
Should we be mixing-up our computing platforms so everyone is not using the same systems or should there be a widely adopted standard that can have the bugs worked out of it?
[laughs] First thing, there's no such thing as a totally secure security standard that can be mandated as a uniform system for the whole world. That simply can't be accomplished because it is administratively infeasible. Government systems are not necessarily more secure than commercial systems, so you just have to forget about relying on government to assure the universal security of Internet. What you really have to be is to be smart about the sources of infection and how such pathologies are spread. For instance, the linking of Microsoft Outlook to Microsoft Windows and Microsoft Explorer is one of the best-known and most frequently encountered massive-effect vulnerabilities - particularly for Outlook, with its integrated address list, which offers a ready means for spreading cascading infection. As such weaknesses are discovered, Microsoft will publish an after the fact patch (fix) as a remedy. Such approach is, arguably, totally insufficient because Microsoft should be fixing the basic design defects in its software, not just correcting one of many possible abuses of an intrinsic flaw just waiting to be exploited yet by another clever attack method.
What we have in the case of the ubiquitous presence of Microsoft is a problem that is well understood from evolutionary biology. It's called the phenomenon of a monoculture. There's an article I published almost three years ago in Computerworld with the title "Microsoft: A National Security Risk". As I see it, unless vendors are legally liable they will always pursue revenue and marketing objectives first and foremost to increase their market share and profits. Microsoft - to their credit as a fantastically profitable business - has always pursued seamless integration as a way of making it easier for people to achieve interoperability among applications. That serves Microsoft's marketing objectives well and also fulfills customer wishes, as is evident from Microsoft's market dominance that approaches a monopoly. But, in the same way we have legislated against asbestos, or protected people against damaging pharmaceuticals, I think the current liability-exempt status of Microsoft software disregards the national and economic aspects and is therefore inexcusable.
So Microsoft is the IT equivalent of asbestos? Or is that a bit strong?
No, it's not a bit strong, it's equivalent to asbestos plus tobacco smoking plus AIDS. Asbestos and smoking is not infectious. Asbestos doesn't spread, you just have to be physically exposed for an extended time period during which you will be fully aware of the presence of choking dust. Asbestos damage is not contagious. The problem is that once you get into the Outlook directory you can become a source of infection for all of your friends and business associates. My concern is that if you become a source of infection because you did not protect yourself (if you did not install the latest of hundreds of patches) the inherent vulnerability of the Internet community from Microsoft-generated effects has become magnified.
Where do we separate the hype from the reality? What questions should you be asking your CIO before undertaking a course of action?
The first question to ask is to find out if your CIO has installed reliable intrusion diagnostic software. Since 100.0% assurance against Internet induced failures is not feasible the best you can do is to correctly recognize the damage and then act accordingly to minimize the damage. I use an extensive collection of damage assessment software tools myself. I have installed a collection of security precautions and hope that my vendors will keep up with the highly innovative and changing tactics of the attackers. Keeping up with the increased sophistication of failure-inducing attacks is necessary because the targets of vulnerabilities are shifting. Find a trusted source, and there are such things as trusted sources even in the counter-cyberterrorism arena, to come to your assistance when your systems are attacked over the Internet.
Should people look at hiring somebody to do some ethical hacking?
Or you can purchase yourself a multipurpose self-hacking tool to test your exposures to multiple attack forms. I bought one myself for US$18. By the way, I have a number of computers that need protection. Though I perhaps more fastidious about information security than most operators, my self-hacking found some of the most elementary examples of negligence that I've done which made me vulnerable.
Have we seen anything that you would classify as acts of cyberterrorism yet? Nimda, Code Red, Love Bug, are those cyberterrorism?
Those are publicly known examples on how the cyberterrorism can work, though there are other examples where focused attacks have already taken place on institutions that are critically important to the functioning of our society. One should view such incidents as rehearsals for future acts. If you are a terrorist and you want to blow up a train you have to train someone to do it right by giving them some explosives to blow up a rail segment somewhere. My answer is that the experience with Nimda alone should be seen as a sufficient proof that there is a real possibility that a massive disruption of the Internet is most likely feasible.
There is no incident that I know of that is actually described as cyberterrorism, at least not publicly.
Well, the odds are against that. When we finally are attacked, it will most likely be some sort of a national security system that would be compromised and that would most likely be covered up and not become public knowledge. You must understand that one of the elegant aspects of cyberterrorism is that even if the cyberterrorist loses, he wins. Every attack reveals the defender's defences without the attacker revealing anything. This is what is called "asymmetric warfare." The traditional notion of military warfare was based on what's called the confrontation of force by a collateral counterforce. In other words you have an attacking force, such a soldiers or tanks or what have you and the other party also has a force and they defend themselves such encounter would be governed by conditions that apply to "symmetric warfare". What is totally unprecedented now in history is that in "asymmetric warfare" the attacker has all of the advantages and can accomplish such feat by never becoming visible to the defenders. In fact, there is no way how the defender can attack the attacker under such circumstances.
To put that into a real world context is that similar to guerilla warfare activities where you have a very hard time finding the enemy?
Personally, I have experience as a guerilla. I had eight months of service behind German lines in 1944 [World War II]. I would not classify cyberterrorism as equivalent to guerillas because guerrillas engage in relatively infrequent physical acts of destruction and are dependent on support from villagers for food and an outside supply of weapons. It's very difficult to be a guerilla and the casualty rates are extremely high. Information terrorists can launch thousands of attacks out of the comfort of their bedrooms while eating well and enjoying all of the comforts with hardly any personal danger to themselves.
You'd be at risk all the time as a guerilla?
The thing that differentiates cyberterrorism from guerillas and even separates cyberterrorism from acts of terrorism like the September 11 attacks is that at least terrorists died in the process. A cyberterrorist do not die, doesn't have to suffer and can live a well-paid normal life, most likely as a software consultant.
It's the ultimate in the invisible enemy.
How do strike back against it?
You have to understand that a cyberterrorist exploits weaknesses. They take advantage of the fact that our software systems and our operating systems are woefully inadequate and are responsible for the intrinsic vulnerabilities that can be exploited. Cyberterrorists live off the weaknesses of the defenders. In the cyberterrorist's case it's the extremely low cost and low risk exploitation of the weaknesses of the victims where the cyberterrorists have the advantage. They also enjoy the support of others. Every night there are thousands of conversations taking place in discussing the weaknesses of existing organizations in managing their computers. The cyberterrorist does not even need to do research because there are a large number of sites where software experts are discussing the weaknesses in the latest patch that has already been distributed by a vendor. In this way cyberterrorists have the benefit of taking the advantage of some the best brains in the world doing research how to subvert potential targets.
In a recent [post-September 11] article you wrote, "All IT assets in the US should now be seen as operating in a war zone." Presumably, we can expand that to apply to any country?
I was a member of a senior delegation three years ago that visited Singapore. A major American corporation was planning to make an investment in setting up their Pacific hub for its data networks. One of the reasons they chose Singapore was that here was an environment that presumably was more favorable to matters of security than some of the other places in the Pacific. Though the physical facilities in Singapore were clearly superior, from the standpoint of concentration of data traffic and dependence on Internet I concluded that commercially the "information island" of Singapore offers perhaps as great concentration of vulnerability to cyberterrorism as New York.
How expensive is it to safeguard a typical corporation, can it be done within existing IT budgets or is it a major project?
I don't think it's a major project. One of my professional occupations is to be called in for what's called post-attack assessments. I usually come in and when I see failures in security they are usually results of stupid omissions and a few critical individuals not performing some of the most elementary precautionary acts as was expected.
What are some of the stupidest things that people do?
[laugh] Let me give you a glaring case of disregarding elementary security. This is a particular case in which I was involved. The organization was very secure. In its operations it followed best practices and was often praised for that as an exemplar of good risk management. All of the money transfers - sometimes in hundreds of billions of dollars in a matter of an hour - was securely executed without ever having a problem. I mean the computers, the data center and the transmission lines were buttoned-down securely at all times. Yet, suddenly, there was a problem--a large sum of money disappeared in a matter of seconds. When we finally walked through all of the scenarios, the problem was that although the computer systems were absolutely secure, the maintenance programmers who were supporting money transfer applications were communicating by open e-mail about software fixes and how to manage the next software release. The e-mails were mostly about project management housekeeping, such as when you run the tests and when you do a software update. The e-mails therefore flagged when the money systems were most vulnerable. By keeping track of the programmers' chatter over e-mail the attackers knew exactly when, for a few seconds, the system was naked. You must understand that in cases of cyberterrorism the number one rule is that most of the efforts of attackers will be spent not on attacking directly but on spending most of their time to seek out what and where are the locations of maximum vulnerability.
This organization lost millions of dollars?
And presumably they don't talk about it?
Of course not. No financial institution will ever admit that their security was breached.
What can a business put into practice without spending a lot of money?
Most of the security fixes are trivial and don't cost much money. The issue is not one of technology, but of managerial accountability. When there is a security failure it is very hard to locate who is really responsible. Therefore, every organization must have somebody who will have to worry about information security. What you need is for the CIO to sign-off that a system has been secured to the maximum affordable levels of risk protection. I am calling for a similar process as when a CFO must sign a legally valid annual statement that states that all the financial assets has been accounted for. Such a signatures is the basis of the recognized legitimacy of a CFO. It is based on the fiduciary responsibility of the CFO to certify that the accounts are correct. It is tragic at this point of historical development that the CIO has absolutely no legal responsibility for anything. The fundamental premise of all law is that you shall be free to act, as long as you're accountable. I'm for freedom that every CIO is seeking (including clamoring for a seat on the Board of Directors) but I'm also for a new set of accountabilities for the CIO for the security of corporate information assets.
That's one point I haven't heard mentioned. Some people have been saying we must be concerned that in the wake of the September 11 attacks that people should not have their civil liberties restricted. We've not heard about the need to act responsibly.
The civil liberties presumptions are empty gestures when they try to apply them to acts of cyberterrorism. The cyberfrontier is largely lawless, at present. So it's not throwing money at security or abolishing civil liberties that will cope with cyberterrorism. What is needed is to bring law and order and accountability into management of information security. That should greatly reduce the viability of cyberterrorists to operate. Guerillas can only operate in situations where law and order has been largely discarded.
Guerillas live off the land and depend upon the support of people, you obviously need to have that support.
You must have that support and you must have the support that enables it. That support is feasible because something is fundamentally wrong in the affairs of the community. For instance, Microsoft has absolutely no legal liability for anything. You buy a Microsoft package and you have to say, "I accept" all of the terms and conditions specified in extremely fine print. Have you every read that six point fine print on your squinty screen? You practically sign away all of your rights. That is just not tolerable. Microsoft, being the most profitable firm in the world is also the primary source by which denial-of-service has always been replicated. I doubt that any massive cyberterrorism attack will be ever launched by exploiting the weaknesses in the Apple operating system [laughs]. It would not be worth the trouble.
To protect a business from cyberterrorism is it really any different from protecting yourself from hacking or from industrial espionage? Are the security steps essentially the same?
There is a difference because you have to protect your secrets from industrial espionage by having strong passwords, you have to protect yourself from hacking by having all your releases up to date, making sure all the people who have left the employer have their password and access privileges terminated. Those are mandatory prophylactic practices. It's like having to wash your hands and brushing your teeth as elementary acts necessary for good health.
Protection against cyberterrorism is not just a matter of instituting good business practices in individual businesses - those are necessary practices and should not be compromised. The impact of cyberterrorism is clearly beyond the purview of individual businesses. Cyberterrorists are not interested in damaging a particular business. They are after disrupting social structure and commerce. That requires concerted action to impede the functioning of the global community where the Internet is the platform of world commerce. Internet is now the lifeblood of global collaboration and therefore the primary ideological target. When you study the cyberterrorists's ideology you discover they are fundamentally opposed to globalisation, to global trade.
Individual business are not necessarily the targets of cyberterrorist attacks just as the World Trade Center, the American Airlines and the United Airlines were not the targets of the terrorist attacks on September 11th, they were merely...
Vehicles for destroying symbols of global trade and global finance.
So you should protect yourself so you cannot be used as a vehicle...
...but the risk to your business is negligible unless perhaps you're a power utility, unless you're running nuclear power plants or some such?
Yeah, but then you would be part of what's called a combined attack. You become a secondary objective to achieve a primary objective.