Thanksgiving dinner last November. William Marlow is just pushing back from the family table when the phone rings. One of his clients, an unnamed Midwestern financial institution, thinks it's under cyber- attack. For Marlow, the next few days are all long, filled with pizza.
Marlow is a svp at McLean, VA-based Science Applications International Corp. (SCI), which operates a computer security team headed by Marlow and Dr. Mark Rasch, formerly U.S. Attorney for Computer Crime at the Department of Justice. The team has 47 bank clients worldwide, including, they say, three of the nation's largest.
When the call came, the computer security team assembled in their war room in McLean, established a secure link with their client's network, and began systematically securing the client's computer operations while metaphorically patrolling the walls, looking for anything from a simple mistake that might have accidentally set off the alarms, to a sophisticated timing attack, designed to distract the firewall while intruders slip into the system. "What the client was afraid of was that a Trojan horse had been introduced," says Marlow. A Trojan horse is a program that enters the computer network disguised as a harmless message, then opens a so-called "back door" for the attackers. "While we were doing that, we received a message from two individuals that was an extortion demandowe're talking significant dollars, enough to alter our fee structure," says Marlow.
The Federal Bureau of Investigation (FBI) was brought in by the client, and the two teams, working together, tracked down the perpetrators. Marlow and his team built a chain of custody of evidence for the prosecution under Rasch's supervision, while the FBI pounded the pavement, locating and arresting the criminals, who are reportedly awaiting trial.
At press time, the FBI said it needed more specific information before it could comment on Marlow's experience.
Marlow's client got off easy. Last year, The Times of Londonoa publication not known for its sensationalismoreported that several London financial institutions had paid up to $400 million to fend off extortionists who used logic bombs (software programs that cause systematic errors) to demonstrate their ability to destroy those institution's global operations. At least one of the attacks sent the proceeds to Russia, according to The Times story, which ran on the front page of its June 2, 1996 edition. Other journalists have confirmed the report, although officials steadfastly deny it.
Both these incidents were probably more a matter of cyber- gangsterism than anything elseojust a new way to hold up banks. But in today's strange new world, they could as easily have been perpetrated for kicks by a kid in Cedar Rapids, for money by a former programmer from the Soviet Ministry of Defense working for the Russian Mafiya, or, more dangerously, by a politically motivated terrorist trained by the CIA in Afghanistan, working in the Sudan with financing from a Saudi billionaire and intending to harm America by attacking its lifeblood.
Every Country for Itself?
And therein lies the rub: Once a bank is under cyber attack, it doesn't much matter whether the enemy wants your money or your life; the lines between mere criminality and political action are blurred by the anonymity of the attack. And since in cyberspace national boundaries aren't even lines on a map, computer attacks don't always yield to tidy legalistic solutions, even if the computer that launched the attack can be traced and happens to be in a nation with laws against themoby no means a universal condition. Monaco, for instance, has no laws covering computer crime.
The result for America's banks is a sort of medieval world in which anything can happen, law is nonexistent, and everyone needs strongholds and armed escorts when traveling from one world to the other. And because the world is filled with persons who consider America's role as the citadel of democratic capitalism, and the exemplar of modern scientific civilization to be fundamental attacks on their way of life, a cyber attack on one bank could as easily be a first step in a plan to crash the international payments system as an attempted robbery.
And examples of cyber terrorismoor at least how vulnerable we are to themodo exist, though no official will admit to a cyber terrorist attack on a U.S. bank.
In 1994, for instance, according to 1996 Congressional testimony, two hackers named Datastream Cowboy and Kuji crashed the computer systems at Rome Air Force Base in Rome, NY, for 18 days. Rome AFB works on very sensitive defense projects; according to the testimony, not only were sensitive files stolen, but successful attacks were launched from the Rome computers to NASA's Goddard Space Flight Center, Wright-Patterson AFB, and defense contractors around the country.
Datastream Cowboy was eventually arrested in England and convicted there of telecommunications theft. Kuji is still at large; no one knows what happened to the stolen data.
The same testimony disclosed not only that the Defense Information Systems Agency's internal testing successfully penetrates Defense Department systems 65 percent of the time, but also that it estimates Defense systems are attacked about 250,000 times a year. It doesn't take much to see that if a Defense Department computer system can be penetrated, so can a bank's.
This is no secret to Admiral J. Mike McConnell, a Booz, Allen & Hamilton partner who recently retired as director of the once super- secret National Security Agency. "Banks talk about their systems as though (they have) no external connections," he says. "What most people don't appreciate today is that most banks today, when they are communicating, are traveling on the public switch networkothe phone system structure. When people say they're using the Internet, all they really mean is that they're riding around on the public switch network. That induces a certain amount of vulnerability."
Downloading Attack Tools
Banks will tell you they have "leased lines" between their branches, he says. "But they don't really have a physical lineothey have a restoral priority; it means they'll get service, but they don't know whether it'll go through New Orleans or Chicago. So the point is, that opens you to potential vulnerabilities.
"Now you can encrypt that message, and it will be more difficult to interfere with anything; and a bank can have certain kinds of defensesofirewalls and whatnotobut once you understand and appreciate them, there are ways to attack them. Nothing is 100 percent guaranteed impenetrable. In my experience, when you are testing something to see if there is a vulnerability, you most always find a vulnerability."
Added to that, says McConnell, is that on the Internet, all the attack tools can be downloaded; there is a "tremendous, richly robust hacker group that shares all these techniques" used for system penetrations, while readily available Silicon Graphics workstations make very capable platforms for cyber attacks.
Today, with all our networking, the vulnerability does not end with the transmission (of data), McConnell cautions. "It's gone from worrying about data in motion to also worrying about data at rest," because much information is stored on hard drives. "That's where the vulnerability is," he says.
Luckily, bankers are a paranoid lotosafes and vaults were more or less invented for themoand banking systems are on the whole among the most secure around. This was well demonstrated during the recent "war game" simulations conducted in June and July by McConnell in his McLean, VA, offices for the President's Commission for Critical Infrastructure Protection (PCCIP).
Global Ops Riskier
After two and a half days simulating escalating problems that began as apparently unconnected events and eventually manifested themselves as a full-scale cyber attack on the United States in which truck bombs were exploding at airports, the water supply was compromised, and attempts were made to penetrate FedWire and CHIPs, only the banking and nuclear power systems were left intactoevery other critical infrastructure had been forced to request government help. Among those with poor marks: law enforcement and intelligence, which didn't share information.
The PCCIP was created last year by President Clinton to address the fact that most of the computer networks in this country are interrelated and vulnerable to cyber attack both by terrorists, who may or may not be state-sponsored, as well as attacks by state- sponsored groups.
This vulnerability is only magnified, say PCCIP officials, by the fact that corporate outsourcing has created concentrations of services in a few hands, disruptions of which could create significant vulnerabilities within whole industries, including financial services. And modern business models built around the Internet only worsen those problems. "You're looking at an emerging business model in an emerging (global) economy that is very different from the old one, where you had manufacturing on the bottom floor and management on the top floor," says Peter Daly, a PCCIP commissioner and U.S. Treasury official. "Now you've got a CEO in Baltimore, his manufacturing is in China, his software is written in India, his telemarketing is in Irelandothe Internet enables that, and that's what we're focusing on. The infrastructure is the carrier of commerce now, and there are important new kinds of risks there."
It was stimuli like these, say officials at the General Accounting Office (GAO), that led it this year to begin testing the financial system for potential weaknesses. The testing is occurring now; first it will try to penetrate banks, and then it will try to penetrate FedWire. The effort is being conducted out of the GAO's San Francisco office.
At the level at which the PCCIP is working, say officials, the worry is less about computer attacks on individual banks than it is about attacks on major computer centers that support the nation's financial infrastructureothe problem being that at a certain level, the two are virtually identical and that a simple truck bomb, like those exploded at the World Trade Center or in Oklahoma City, could cause significant damage to, say, the New York Stock Exchange or Brussels-based Society for Worldwide Interbank Financial Telecommunication (S.W.I.F.T)., while taking down the telecommunications system with logic bombs would obviously affect the financial system along with the rest of the country.
How to Fight Attacks
But there are also high-tech attacks to worry about. Some attacks, like exploding a microwave or flux generator bomb outside the Richmond Federal Reserve, potentially taking down FedWire by destroying its computer system, require substantial resources and are impractical; both sorts of bombs are very large and would have to be delivered by truck, requiring the same sort of industrial base needed to build nuclear weapons. A flux generator bomb is capable of throwing an enormous magnetic field around a building, crashing all the systems within.
But there are lower tech attacks that even small banks need to worry about, since they could be used in smaller-scale extortion. A HERF, or high energy radio frequency, gun, for instance, is a small, futuristic device that sends an energy "spike" through a metal system, frying it.
These devices, which police forces are considering issuing to some of their personnel as a means of stopping escaping vehicles, are basically ray guns, right out of Buck Rogers. The technology, which is nowhere near as sophisticated as a flux generator bomb, could easily move from law enforcement to the criminal and terrorist population as it becomes more widespread. Tazers, readily available today, can also be used to attack and disrupt computer networks.
But these, at least, are not tough to defend against, according to a paper written by Carlo Kopp, an Australian computer scientist. Since a HERF or Tazer attack made against a LAN is an electrical attack in which a power spike does the damage, he says, simply replacing the copper-based LAN with fiber-optic cable provides a practical defense. More advanced measures advocated by Kopp start with isolating the computer power system from the main power supply with an old-fashioned motor-generator power isolator, and go as far as building the sort of copper-mesh "Faraday Cage," sometimes put around a clean computer room, around an entire building.
Cost of Protection
But there's a price to be paid for upping the security ante, says an official at Washington, D.C.-based American Bankers Association, who requested anonymity. "(A determined group) can always kidnap somebody's family and make them do what they want, so I'm not sure how far you want to go" he says. "The thing you've got to remember is that these days, you've got guys carrying bombs with toggle switches instead of timers." Toggle switches are manual triggering devices used by suicide bombers.
"Low probability events are things banks have to deal with when they're catastrophic, and when they can be reasonably managed," he continues. "The thing is, we've got tremendous measures in place already, and the only other things (we could do) is to do full-field investigations (of employees) so not only do we know who our guys are, but that the government knows who our guys are, so they'd be more willing to tell our guys what's going on."
That cooperation could become far-reaching. Because the implications of cyber attack are transnational, and the interpenetration of terrorism and plain criminality has become so complete, many are calling for international police efforts. "We're totally behind the eight-ball, and everybody's stymied by this brick wall called national sovereignty, which the bad guys laugh about," says Arnaud de Borchgrave, who was Newsweek's chief foreign correspondent for 30 years, and who now heads the Center for Strategic and International Studies, based in Washington. "Any thinking person knows that the traditional prerogatives of national sovereignty have not only been overtaken by the information revolution, but that things like logic bombs and worms are the new arsenal in a new geopolitical calculus that enables the non-states, and even individuals, to take on a superpower. That's the sort of world we're living in, and our leaders don't want to face up to it.
"You need laws that enable you to operate beyond (national) borders," he adds. "Right now, if the Pentagon is attacked, they don't have the right to retaliate, even when they know the source of attack. We're a long way from an international SWAT team or teams, which is what I'm thinking about."
As things stand, meanwhile, most large banks have either contracted with companies like SAI, or maintain their own computer security teams, generally denying to the public that they face any real dangers and, it's widely assumed, leaving their own computer security crises unreported. This is exactly the wrong way to handle it, says Senator John Kerry, of Massachusetts. Senator Kerry's recently published book, The New War: The Web of Crime that Threatens America's Security, highlights the increasing incidents of money laundering facilitated, in part, by computer-savvy criminals. "It goes to their overall attitude to the whole thing," he says. "You have to put this thing out there; people have to know and understand it. The longer they're quiet and the longer these guys can operate without a sense of public outrage and concern, the harder it's going to be to marshal the forces to change the situation."
Making Attacks Public
"They'll need government help to fight these incursions from the Net," he says. "But acting on their own can't be adequate. You can do certain things, but if you keep this thing covert, you'll never summon the kind of clout you need to have a legitimate cure.
"That legitimate cure will involve some kind of understanding about how you're dealing with encryption, with how you're dealing with secrecy, of how privacy rights and access rights are going to exist, and of course law enforcement's rights with respect to all this," Kerry says. "It'll have to be a cooperative effort, and will involve some public law."
reinbach tfn.com INTERNET POSES GREATER RISK Serious cyber attacks on banks are still not common: SAI estimates they see only about five serious attempts on banks in any year. But a 1994 study by the RAND Corporation points out that as a simple matter of statistics, the danger of attacks on institutions of all sorts, including financial institutions, is bound to grow in tandem with the spread of computer use and the growth of the Internet.
Statistics on computer incidents reported to CERT, a computer security information clearing house and research facility located at Pittsburgh's Carnegie-Mellon University and financed by the Defense Advanced Research Projects Agency (DARPA), grew about ten-fold between 1990 and 1996. An apparent leveling off of reported incidents since 1994, says a spokesman, is more probably due to a multiplying of places to report such incidents than a slackening in hacker activity. An incident can affect one computer or, on a LAN, 1,000. CERT began life in 1988 as DARPA's computer emergency response team.
And a 1997 study by San Francisco's Computer Security Institute, conducted in association with the FBI, says that the 249 organizations who replied to their survey reported losses totaling $100,119,555. System penetration, fraud, sabotage, theft of proprietary information and virus attacks accounted for $65,623,700. Financial services companies, including banks, accounted for 18.77 percent of responses.
CSI officials say the average loss to financial fraud was $957,384, while losses to system penetration averaged $132,250. In comparison, losses from Internet abuse by employees totaled about $1 million. HISTORY-INDUCED TERROR Ironically, it was our triumph in the Cold War that set the stage for our present problems. The United States won the Cold War. But Russia was not occupied.
This historic anomaly loosened control over both the former KGB and its clients in the world of terror. The result is less actual terroroviolent attacks on civilians by trained, politically motivated peopleobut more trained people left to shift for themselves. "The collapse of the Soviet Union has obviously let loose a tremendous amount of human capital and talent that has a lot of abilities that would normally be used for legitimate business purposes or purposes of the State, but now does not have an outlet," says Francis Fukuyama, noted author of The End of History. "A lot of that is going to come out in illegitimate activities, including things like cyber terrorism."
And in any event, Russia today is only partly what Americans think of as a nation, says Ambassador L. Paul Bremer, managing director at New York's Kissinger & Associates and former Roving Ambassador for Counterterrorism in the second Reagan Administration. "It's a bit of a combination of both," he says. "It is in a sense a country in that you've got 145 million people who mostly speak the same language, who have all grown up under a central rule from Moscow, who use a common currency, and who are more or less defended by a common army. But there is a lot of warlordism; you do have governors and other satraps out there who have a lot of authority. I don't think the last chapter is written yet; it could go either way in Russia." You are user JERRY attached to server ABNY, connection 107.
