Corporate and Government Computers Hacked by Juveniles: Your Government Computer Is Being Targeted for a Hack Right Now. the Hackers Are Teenagers. They'll Never Be Caught, and They Know It
Radnofsky, Mary L., The Public Manager
Imagine a teenager in his pajamas on the computer in his bedroom at 3:00 a.m., absorbed by the challenge of hacking into the Pentagon. And then, finally, he comes across a list of thousands of e-mails from top military brass with cool subjects about different "operations." There, appearing on the screen before his eyes, are the names and passwords of over a dozen U.S. Department of Defense (DoD) employees. He could be the proverbial fly on the wall, listening to bioweapon experts at the Defense Threat Reduction Agency. Yeah, he'll get to that tomorrow night. OK. Save. Maybe in a week or two, he'll get to that high-security software for the International Space Station on the National Aeronautic and Space Administration's (NASA's) network. But it's 4:00 a.m. and there is school tomorrow. Bookmark. Shut down.
Seem unlikely? It happened. Yes, this case was way back in 1999, when most people hadn't realized the transparency of computer communication. Except, well, many had. So today, in 2006, why are there even more of these cases? Thousands of computer intrusions? Millions of identity thefts? And $67.2 billion lost to cybercrime last year? The lesson begins two decades ago.
First Hacker Caught
The year was 1986. One lone American astronomer, who fiddled with computers during his research, discovered a financial discrepancy of seventy five cents. From that, he followed a trail of computer hacks over several years, eventually convincing the Federal Bureau of Investigation (FBI), military, international security, and law enforcement agencies to pursue a computer criminal for the first time in history. In Germany, a college student had gained access to hundreds of computers on Milnet and Arpanet, the U.S. military versions of today's Internet. The hacker downloaded data from our Army bases in Germany, Japan, Alabama, and Georgia, from Air Force bases in Germany and California, from Navy systems in Florida, from the Pentagon, from the jet Propulsion Lab, from an MIT computer, from Lawrence Berkeley Laboratory, and from other defense contractors.
Who else had seen the thousands of secret files that a German college student (dubbed the "Hannover Hacker") had been stealing for years? How does one measure the consequences of unveiled defense strategies, proprietary software, and military identities? Perhaps the more recent, though individual, case of Valerie Plame's lost cover can illustrate this point for us today. We won't know how bad things are until something happens on the basis of lost intelligence. That could be tomorrow or in two months. Hackers are patient, and sometimes wait years before acting on stolen information.
So, since 1986, Germans have become the best enforcers of information technology (IT) security in Europe. Here in the United States, however, we are still struggling with postponed legislation (H.R. 5835, the Veterans Identity and Credit Security Act of 2006), unclear and unevenly enforced laws, and, worst, the battle to convince ourselves that the problem of computer intrusions is in fact a very big deal--not just to industry giants, but to every government agency, school, and home.
The State of Cybercrime
Twenty years after the Hannover Hacker, not only do we still have these types of hacking crimes, but a plethora of even more creative ones, despite the genuine (and expensive) industry and government attempts to secure computer networks. Cybercrime is, of course, global. Although attacks come from all over the world, 26 percent start in the United States, followed by China with 24 percent. Many such crimes are committed by students--not because they really want state secrets, but just to prove they can do it. Many more do it for the millions of dollars they can generate through extortion. First, they demonstrate they have access, and then threaten to shut down a company's Web site for a day. So the company pays them not to make a denial of service (DoS) hack, and the cybercriminals get paid time and again.
The most common type of computer crime is "merely" a virus (84 percent of respondents in a 2005 FBI survey said they had experienced at least one), which has high nuisance and economic consequences. But more menacing, and almost as pervasive, are spying incidents (80 percent also dealt with this). In fact, spyware's legitimate function--to help track your child's computer use, for example--makes it freely available on the Internet.
Other problems in cybercrime include such recently publicized problems as cyber stalking, cyber pornography, child predators, illegal downloading of songs and movies, and software piracy. In addition, a 1999 BAND publication said that al-Qaeda "appears to have widely adapted information technology," and was building a terrorist "communications network that relies on the web, e-mail, and electronic bulletin boards." Cyber terrorism was born.
Other examples of cybercrimes include the following:
* In 2000, a disgruntled worker in Australia hacked into a waste management control system and released millions of gallons of raw sewage into town.
* In 2001, two postgraduate students cracked into a bank system used by the U.S. Department of the Treasury for Internet transactions, and then generously told the world how they did it.
* In 2003, an 18-year-old, who considered himself a gray hat hacker (see Webster's New World Hacker Dictionary for hacker terminology), was arrested for spreading a variant of the "Blaster" virus, which had infected or shut down millions of computers worldwide. A year later, the Blaster's original creator was also caught. (Update: spam and junk mail now account for 70 percent of office e-mail, and one in thirty-six such e-mails contains a virus.)
* In 2005, Chinese hackers penetrated U.S. government networks and stole military secrets, including future command and control documents.
In 2005, the identity theft of 33,000 Air Force officers from a computer at Randolph Air Force Base resulted in the loss of their Social Security numbers, birthdates, and other confidential data. In 2006, the personal information of 26.5 million U.S. veterans and 2.2 million active service members was lost when a laptop with the data was stolen.
Also in 2006, hundreds of thousands of U.S. and European bankcard numbers and personal identification numbers were stolen. Bank accounts were looted, and people lost their life savings. Think Enron losses, and multiply by one hundred.
The Basics of Cyber Defense
So what is a company or agency to do? Money helps, of course, but despite billions of dollars spent annually on security, there is still an increase in the frequency of computer crimes, many of which sound like a foreign language: there are, as briefly mentioned above, DoS attacks, viruses, malicious code, spying, and key-logging. In addition, we now have worms, trojan horses, botnets and zombies, packet-sniffers, war-driving, pharming, and spear phishing, not to mention usurped control of real-life vital services and utilities such as sewage plants and city power grids. Yes, hackers can actually disrupt and endanger our personal and professional lives in concrete ways. Phone service can be interrupted, traffic signals changed, and harassing and threatening e-mails sent in your name.
Let's say, though, that your budget doesn't include billions of dollars for IT (and even if it did, would it want to be constantly on the defensive against computer attacks?). In that case, different solutions are needed, because hackers are persistent. They will "knock at the back door" of your network not just for hours, but for months, or years. Maybe the old software used to keep them out. Double check, though; they may now be in.
It goes without saying that you must install and activate all security hardware and software--and do so correctly. Let's assume you have firewalls and other security on your system. You probably still experience dozens, maybe hundreds of computer intrusions daily, especially spam with viruses or worms. And what about the bots or malcode that were left behind? Your spam-blocker may have slowed the flood of e-mails, but it didn't clean out the system. Antivirus software was installed to run continuously on all employee computers, of course, but it is worth verifying that no one has disabled any of the security measures (which commonly interfere with many programs and so are frequently "temporarily" disabled and then forgotten). Other times, dedicated employees choose to keep them off, because they hamper productivity. In either case, the damage is done.
Let's also assume that as a dedicated manager, you've sent out positive memos reminding people to follow security procedures. Maybe that is all you've been allowed to do. It has been difficult to enforce cyber security procedures in the office or with subcontractors, even harder to find leaks, unclear as to how to punish for noncompliance, and vague as to how to deal with actual loss (money, identity, or property). Compliance is still mostly voluntary, with no single government standard uniting the rules and procedures. Until now.
HR 5835, proposed following the veterans' identity thefts, has been approved by the House Veterans Affairs Committee as of this writing, and could be signed into law this coming session. The bill, if enacted, would give chief information and security officers the power to enforce cyber security policies "to the extent determined necessary and explicitly by the head of the agency"
This bill is significant because prior legislation (the 2002 Federal Information Security Management Act, or FISMA) was criticized for not having given that power to chief information officers, leaving them only able to make cyber security recommendations. HR 5835 would establish federal standards to notify and provide credit protection services for cyber victims, and enforce instant warnings to Congress or other federal offices affected by security violations. A controversy now exists as to whether agency undersecretaries or their IT departments should ultimately have IT security enforcement power.
At this point, maybe you're saying that the few intrusions into your network have been fairly innocuous--a few redirected Web links to a porn site or some fake e-mails. But they can escalate at the punch of a key. If someone has the access to send fake e-mails, they may also be able to read all of yours and everything else on your hard drive.
Hackers have created an international community that openly shares malicious code, cracker programs, how-to-hack articles, books, workshops, and sites on the Internet and at national conventions. Frequent postings on hacker blogs publicize specific weaknesses in commonly used applications. Code-specific hacking instructions are accompanied by a disclaimer, "for educational purposes only," but names have been named and weaknesses revealed, making entire networks--government and private--vulnerable to attack.
So even though there is hope that agencies will be able to protect the cyber infrastructure with new laws or hardware, it may still seem that you have very little control over your own department's computer security. And if you think about the sheer number of human sources as potential data leaks, your control seems even more limited. Cause to worry.
Now, more cause to worry: international cybercriminals are increasingly linked to organized crime. And as cyber security software and hardware improve, IBM notes, "It is anticipated that many of these criminals may target the most vulnerable access point within a company or organization--its personnel--to execute an attack."
In fact, however, and despite the outcome of pending legislation, you actually have as much power with a few well-executed leadership decisions as with your arsenal of cyber defense measures. There is no physical warehouse to storm, no getaway car to outrun, and no clear-cut bad guy to catch. You have to outwit this enemy, and on his turf. That means education. You have to teach everyone else how to outwit him, too. It all comes back to learning a lesson. Call it training. Call it professional development. Call it continuing education. Just make sure that the receptionist learns it as does the boss.
Increased Cyber Security through Education
One agency that has taken an aggressive stance in educating its personnel is DoD, which has developed computer security simulations. They regularly put computer \trainees through network attack exercises to learn to thwart actual intrusions.
In fact, the Annual Cyber Defense Exercise (CDX) is the ultimate National Security Agency (NSA) cyber challenge, where the military educates future officers in the art and science of computer network security. In a simulated military operation, teams of cadets and midshipmen defend a closed computer network they designed, built, and configured. Such cyber education is officially acknowledged as essential to this country.
Shouldn't all agencies, businesses, and schools be just as dedicated and allocate just as many resources to educating their own communities in the secure, legal, safe, and ethical online practices? The Socrates Institute, a nonprofit educational organization founded by this author, certainly thinks so. We began building a cyber ethics curriculum for schools in 2003, but the problems of cybercrime had not yet sufficiently caught the public's eye. Because no state department of education required any type of cyber safety, cyber security, or cyber ethics instruction in schools, the federal government did not yet see the need for it either. That is all changing now.
The U.S. Department of Justice Computer Crime and Intellectual Property Section Web site states, "Some individuals exploit the power of the Internet for criminal or terrorist purposes. We can minimize the harm that such individuals do by learning ourselves, and teaching young people how to use the Internet safely and responsibly."
The Federal Energy Regulatory Commission requires online courses for employees, managers, and technical personnel to "minimize disclosing sensitive information" and to "teach caution using the web/Internet media."
At the state level, Virginia enacted a new Internet Safety Law on March 7, 2006. Merely distributing acceptable use policies has not been effective. The law now has a provision to "include a component on Internet safety for students that is integrated in a division's instructional program." In the business sector, Symantec puts its employees through an ethics training program not just once, but yearly, and supports Virginia's initiative in protecting children online through classroom instruction. They also add, "As part of a safety program, the Virginia Department of Education should be looking holistically at Internet safety to incorporate cyber security and cyber ethics as well."
Three Aspects of Cybercrime Education
These three aspects of cybercrime education (cyber safety, cyber security, and cyber ethics) form the foundation of the annual C3 Conference at the University of Maryland. The organizer, Dr. Davina Pruitt-Mentle, speaks to its educational focus:
We can use many materials out there in schools, but cyber ethics, cyber safety, and cyber security education won't make an impact until it's fully integrated throughout an entire state curriculum. It can't just be an add-on or a school assembly. It needs to become ingrained into everyone's daily routine.
Emphatically, the Cyber Security Industry Alliance states,
What is missing here is a focused and organized national effort to teach children cyber security, cyber ethics, and cyber safety with national security in mind.... It is incomprehensible that we are not teaching cyber security, ethics, and safety at an early age. Poor awareness by children about cyber security may ... ultimately threaten the fabric of our nation's critical cyber infrastructure.
Not surprisingly, one other community also agrees on the importance of cybercrime education. Computer hackers themselves seized the Internet long ago to build a following, create gangs, and challenge each other. As a result, we are dealing today with the somewhat chaotic cyber culture they built. But as with any culture, this one must evolve in order to survive.
International cooperation in criminal cyber activity is already underway (the Senate has finally ratified the Council of Europe's 2001 Convention on Cybercrime, making us the sixteenth of forty-three countries to sign). While the treaty sends the signal that we are building a united front to pursue cybercriminals, it is up to leaders in the cyber culture to reestablish a united set of values (admittedly an extremely difficult task), and create a common link between what are now tragically disparate nations, at several levels.
Changing Cyber Culture through Education
Anyone in your office with access to an electronic communication device (from a cell phone to a fax or podcast) risks opening your network to hackers. It doesn't have to be a high-tech piece of equipment either. Information leaks have been happening without laptops for centuries through "social engineering," but there are ways to minimize these risks.
So how do employees deal with the cyber culture in which they work eight hours a day? They make up the rules as they go along. Yes, really. As a result, the cyber world has as much freedom, excitement, and danger as the Wild West. But as the Internet reaches a critical mass of users who demand safe, ethical, and secure interactions, it also moves closer to creating a more civilized society.
To facilitate that move, people need to learn why they must implement certain security protocols, why following one procedure cannot replace all the others, why certain online activities interfere with security, why verifications, back-ups, passwords, and firewalls are all needed, etc. Mostly, though, they need to know why each and every person should bother with all that even if they are "just" a receptionist or "even though" they're the boss.
It is not enough, of course, to tell people why they should change. To increase the chance of policy being correctly implemented, people need both an under standing of why as well as hands-on training in how to change. In computer security, this means letting each employee go through the keystrokes themselves (ideally in a safe, simulated environment) to best understand the importance, relevance, and logic of procedures.
In such simulated environments, we know that learners improve decision making, make faster choices, apply learned behaviors, and move more easily from novice level to expert. The good news is that simulations can help people learn to avoid Internet credit scams or worms and to make wise decisions using their own "talents" online. They can learn how to securely instant-message (IM), blog, and use their cell phone without revealing critical information. And throughout the simulation, they will learn the consequences of making wrong decisions.
The bad news is that providing such educational training takes a great deal more time than adding security software, but both strategies are essential to cyber security.
NetEdGE Cyber Education
Leaders in both the public and private sectors advocate direct instruction for employees and students in the proper use of cyber technology. In the spirit of fulfilling this need, the Socrates Institute has been developing NetEdGE (Internet Educational Game of Ethics) with seed money from Symantec. Our purpose is to create a training program that guides young people through different scenarios of cybercrimes from three perspectives: elite hacker, innocent cyber victim, and undercover FBI agent. In each role, the individual learns how to interact in a simulated cyber culture through decision making and risk taking and especially by making mistakes inside the protected environment. We even give players the chance to hack into a fictitious organization, and then have to deal with the legal, economic, and social consequences.
Reaching the current workforce is undeniably important. But we must also reach young people at the start of their career. Nationwide, over 18.8 million teens spend an average of ninety minutes a day on the Internet. Over half (51 percent) of their parents do not have or do not know of software for monitoring where the teens go or with whom they interact online.
But we do know that organized crime has been recruiting teens in great numbers, turning their computer skills into big business. In fact, teens are even recruiting other teens in increasingly organized ways to commit DoS, fraud, and extortion.
We also know that only about 5 percent of all cybercriminals are ever caught, and few are punished. In fact, 90 percent of computer intrusions are never even report ed; companies prefer not drawing attention to themselves, lest they risk losing consumer confidence. Our best chance, and one thing you can do as a leader, to reduce the numbers of cybercriminals is to educate the incoming workforce, giving them simulated opportunities to make both right and wrong choices in the cyber world, and show the real-life consequences of both.
There doesn't need to be an army of computer hackers to cause damage to an agency infrastructure. All it takes is one young person in a single reckless cyber crime and no idea of the social, legal, economic, and emotional damage it can cause. All it takes is one teenager, who figures that no one will ever find him. And at three o'clock in the morning, with the world at his fingertips, he's running password-guessing programs. And he is not even sleepy.
We are in an unpredictable era of technological evolution that seems to outpace our laws, cultural mores, and sense of personal safety. We try to keep up with the new cyber world, so we create new laws. We sit at the same table with security experts and hackers. We invent new strategies to observe it, new tools to probe it, new portals to access it, and new words to define it. Now it's time we developed new ways to teach others (and ourselves) how to successfully, honorably, and safely live in the cyber world as we do in the real world. This article does not recommend or criticize any particular brand or trademark of computer security. Use the system best for your organization, depending on its size, security clearances, and budget. Educate your whole team in how and why to use it--all the time.
Berg, Al. "Threat Monitor: Seven trends to expect from virus and worm authors in 2006." Security Tips:. SearchSecurity.com. January 4, 2006. http://searchsecurity.techtarget.com/tip/1,289483,sidl4_gcil15 5150,00.htm1.
Computer Security Industry Alliance (CSIA). Teaching Children Cyber Security and Ethics. White paper. July 2005.
Department of Justice. Computer Crime & Intellectual Property Section. 2006. http://www.usdoj.gov/criminal/cybercrime/cyberethics.htm#doca
Federal Bureau of Investigation. 2005 Computer Crime Survey. January 18, 2006. http://wwwmitnicksecurity.com/media/ 2005%20FBI%20Computer%20Crime%20Survey%20Report.pdf.
Webster's New World Hacker Dictionary (Indianapolis: Wiley Publishing, Inc.: 2006).
The Jargon File. Glossary of Hacking Terms. 2006. http://www.catb.org/jargon/html/go01.html.
IBM, Global Business Security Index report. January 2006. http://www.03.ibm.com/industries/financialservices/doc/ content/news/pressrelease/1500860103.html.
Mary L. Radnofsky, PhD, is director, The NetEdGE Project, and president and chief executive officer of the Socrates Institute. This article has been adapted from a more comprehensive treatment of the topic, including citations for all quotes and references, a glossary of cyber world terms, and other details. For more on NetEdGE, the original, unabridged paper, or to communicate directly with the author, go to www.socratesinstitute.org.…
Questia, a part of Gale, Cengage Learning. www.questia.com
Publication information: Article title: Corporate and Government Computers Hacked by Juveniles: Your Government Computer Is Being Targeted for a Hack Right Now. the Hackers Are Teenagers. They'll Never Be Caught, and They Know It. Contributors: Radnofsky, Mary L. - Author. Journal title: The Public Manager. Volume: 35. Issue: 3 Publication date: Fall 2006. Page number: 50+. © 2009 Bureaucrat, Inc. COPYRIGHT 2006 Gale Group.
This material is protected by copyright and, with the exception of fair use, may not be further copied, distributed or transmitted in any form or by any means.