Skating on Stilts

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

By the time we were done putting the report together, I realized, we hadn’t just touched the third rail. We were tapdancing on it. By candidly treating the end of online anonymity and the adoption of tough security regulation as options, we were goring some of the noisiest oxen in Washington.

Well, what the hell, I thought. Maybe the time was right for a reconsideration of security regulation, especially after the hodge-podge the states were making of the issue.

I was wrong.

Memories of Dick Clarke’s fate were too fresh, and by mid-2008 the Administration was running out of time. I showed a draft of the report to the front office and sent the Homeland Security Council a copy. Not much later I got a call. The Council didn’t want to even raise regulation as an option in the interagency discussions. They feared that industry and Congress would kill the little progress that had been made if regulation was even treated as an option. In fact, they wanted to bury the report. Instead of thinking about the future, they’d focus only on tasks that could be done in the waning months of the Bush Administration.

It was disappointing but I understood. Chertoff, who'd been a rock in other disputes, was now focused only on fights he could win and changes he could implement in six months or less.  And we had reached that point in an administration where accomplishing even the simplest and most obvious tasks had become nearly impossible.  Energy was draining out of the Bush team, and what remained was soon focused on a cascading financial crisis that left no time for next year’s threats.

I thought that there might be value in letting the Obama administration consider these issues without explain that it was reviewing options proposed under President Bush. The new administration might have more leeway to consider the attribution and regulation issues with an open mind.

I was wrong about that too.

The Obama administration brought a flurry of energy and determination to the problem.  As well it should have.  Barack Obama and John McCain, after all, had been the first presidential candidates whose campaign networks were systematically penetrated and exploited by foreign intelligence-collectors.  And candidate Obama had pledged that cybersecurity would be a top national security priority in his administration.  Nevertheless, the new Administration's resolution seemed to waver within weeks of the inauguration.

The new administration did produce a cybersecurity strategy only a few months into the term, but White House watchers learned a lot from what it said and how it was edited.  The draft was reportedly produced on the schedule set by the President – within sixty days of his request.  But it didn't go to him on that schedule.  Instead, it went through a new set of edits, as office after office protected itself, its prerogatives, or its constituencies by removing controversial passages.

The result was mostly pabulum.  Pabulum of a sort that would have been familiar to the Clinton and Bush White Houses, of course, since they too had blinked when faced with hard choices over cybersecurity.

For example, the strategy recognizes that improving authentication of people and machines is a key to improving cybersecurity. While much of its attention is focused on just making sure that federal networks can properly identify users, it acknowledges as a goal the creation of a “global, trusted eco-system” that could form the basis of a secure network. But it call for that system to be built by working with “international partners” and by building an ecosystem that is seen to protect “privacy rights and civil liberties.”  Hard experience tells us that if building a secure network depends on the full support of the international and privacy communities, it will never happen.  

Business too was fully protected from the specter of security regulation in the Obama administration's strategy document, which   mentioned regulation just once – to declare that it would be considered only “as a last resort.”

By the time the editing was done, Washington knew that nothing dramatic would come from the cybersecurity initiative – or the new cybersecurity coordinator job the President had announced with fanfare.  Indeed, the position remained unfilled until the end of 2009. 

Three Presidents in a row had tried to change course and head off the worst consequences of Moore's law for our national and personal security. 

All three had failed. 

The privacy and business lobbies that guard the exponential status quo had defeated them all.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

And what about the “hard” option – just plain regulating?  You know, just putting network security requirements into the Federal Register? 

We couldn’t ignore that option, I thought. In fact, a lot of the most critical industries were already subject to government regulation. These included financial institutions, energy, and telecommunications. And some of these industries were already subject to cybersecurity regulation. Financial institutions, for example, must follow a unified set of cybersecurity rules. But even financial regulators don’t require particular security measures. The rules are largely procedural, resembling the instructions on a bottle of shampoo:  Institutions must study their vulnerabilities, cure them, assess the effectiveness of the cure, and repeat.

It’s hard to write rules that go beyond such procedural steps, because the attackers change tactics faster than regulations can be amended. What's more, the cost of mandatory security would be very high; it would slow innovation and productivity growth severely.

Even so, there's a case for mandating particular security measures for regulated industries.  It’s the Howard Crank problem all over again. Every year, the exponential growth of information technology makes our lives a little better, our businesses a little more efficient and profitable. And every year it leaves us a little more vulnerable to a military strike on our infrastructure that could leave us without power, money, petroleum, or communications for months.

Large parts of the country could find themselves living like post-Katrina New Orleans -- but without the National Guard over the horizon. That risk isn’t part of most companies’ balance sheet. It’s not hard to see that as the kind of market failure that requires regulation.

But even if there is a market failure, the government still isn’t well-equipped to solve it. At a minimum, the regulatory agencies would have to find a way to coordinate and issue standards much faster than they now write regulations.  Today, the practical speed limit is eighteen months from new idea to final rule.  There's not much point in replacing a predictable market failure with an equally predictable government failure.

And what about all the vulnerable IT networks that are not in the hands of regulated industries?  If they are compromised, the harm goes beyond the users of those networks. The compromised machines can be used to attack others, including government systems. To set standards in that world would certainly require new legislation.

Industry, we knew, wouldn’t like any talk about regulation. But they were fighting the last war.  New security legislation had in fact already been enacted, though in an odd, and mostly unfortunate, way. Laws have been adopted in all but five states that require companies to disclose any security breaches that lead to the disclosure of sensitive customer data. The more the federal government has dithered over security rules for industry, the more aggressively the states have moved into the opening. Their breach notification laws are becoming de facto security regulations for all companies. First, they punish bad security by forcing companies who are compromised to admit that fact, as long as some personal data was accessed. Second, in a crude way, they recognize that good security measures can make notification unnecessary, and that encourages companies to invest in technologies that are so recognized. For example, many state laws recognize that encrypted data may be safe even if the system it is stored on has been compromised. So, naturally, many companies have expanded their use of encryption to avoid embarrassing breach notifications.

The problem with these laws is that they don’t necessarily point companies in the direction of real security improvements. Because they only punish companies for breaches that disclose personal data, they have encouraged the companies to lock up or discard certain kinds of customer data – rather than focusing on keeping hackers out of their systems more broadly.

The problem is particularly acute in the area of stolen and lost laptops. Thousands of business laptops are lost or stolen every day. Usually, the thief wants the laptop, not the data. But if there is personal data in the laptop, that data has technically been compromised, thus forcing companies to send embarrassing notices to everyone whose data was in the computer. After a few such cases, companies begin to divert their security budget to double-locking laptop drives with passwords and encryption. Those measures won’t keep Ghostnet out of their networks, but they get the highest investment priority because of the peculiarities of state law.

By the same token, state laws expressly recognizing encryption of data as a defense have artificially heightened the priority that security offices assign to the deployment of encryption, even though it too would have done little to block a sophisticated attack. There are plenty of measures other than encryption that may be equally effective at providing a defense in depth, but state legislatures have not been able to draft laws that reward more comprehensive security.

Finally, state laws vary substantially, creating great tension for law-abiding companies, which find they cannot actually comply with all of the different laws. For all those reasons, we noted, there is growing support for a federal law that would set a single breach disclosure standard. We thought that such a law could also create incentives for higher cybersecurity standards. In fact, replacing inconsistent state notification laws with a security-minded federal law would be a victory for both security and innovation.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

The softest option was to nudge industry toward  security measures by offering liability protection in exchange. This is the most comfortable form of regulation for business, because instead of punishing bad behavior it rewards good behavior. This is something we understood at DHS, where we administered the Safety Act. That act provides liability protection to companies who manufacture and sell qualified anti-terrorism technology.

The idea behind the act is simple: Some anti-terrorism technologies work well but not perfectly; they reduce risk but don’t eliminate it. Unfortunately, after a terrorist incident, the people who have been fully protected by the technology will be grateful, and the people who haven't been fully protected will sue, claiming that the technology was defective, since it didn't protect them from all harm. That's not a recipe for encouraging the deployment of new technology. 

So, to keep fear of liability from squelching advances in technology, the Safety Act sets a cap on liability for approved technologies. There are a lot of conditions built into the act. Companies must, for example, carry whatever level of liability insurance DHS considers necessary to compensate people who may be harmed in a terrorist attack. But in return, the threat of open-ended, company-killing liability is taken off the table.

We thought that DHS could use the Safety Act itself to encourage companies to adopt some cybersecurity technologies. The protections of the act aren’t limited to physical products; they also cover services and information technology. We thought the act could even be applied to security services and processes, vulnerability assessments, and cybersecurity standards.

But the Safety Act wasn’t perfectly adapted to cybersecurity tools. Most hackers are not terrorists. In addition, network security measures work in layers. There is no single magic bullet that provides all security needs. If many security products fail to prevent an attack, and not all of them are covered by the Act, sorting out which ones caused the damage could require endless, expensive lawsuits. And, because network threats change so often, products designated under the Act would have to be updated frequently. And even with regular updates, the extent to which a particular technology provides protection will likely erode over time as attackers seek ways around the defense. At what point should protection be modified or withdrawn, we wondered, and who will press for that change?  Finally, the insurance market for cybersecurity products remains at best a work in progress, so it wasn't clear that adequate coverage was available. For these reasons, we concluded, the Safety Act was probably better as a model of what could be done without regulation than as a tool that could be used immediately to encourage broad cybersecurity measures.

We also noted a second “soft” way to influence business -- government purchasing standards. Many critical infrastructure companies do business with the U.S. Government. The government has great weight as a buyer of technologies, and it can influence the market for security by the standards it sets for its purchases. The government cannot, however, dictate terms to suppliers of technology. The government may be the single largest buyer of some technology, but it is far outweighed in the aggregate by private sector purchasers. Further, without new policies, the government wouldn't really act as a “single” buyer.  IT procurement is divided among many agencies, and these agencies would fight security standards that raise costs or reduce competition.

We wanted the government to consider a more unified approach to its procurement of information technologies.  We thought the government could establish government-wide contract models that incorporated preferred technologies and security practices requirements into federal contracts. In fact, some steps on this road had already been taken. Federal purchases are required by law to meet certain federal information security standards.

We knew, though, that using procurement to enhance commercial IT security is easier said than done. The U.S. Government’s first efforts to leverage its procurement power for IT security in procurements began in the 1970s, when the government established the Trusted Computer Security Evaluation Criteria—the “Orange Book”—and began to evaluate commercial products that were submitted for review. The idea, then as now, was to use federal contracts as an incentive for vendors to incorporate security measures in their products.

The scheme never had as big a security impact as hoped; the commercial market for computers rapidly outpaced the government market, and private purchasers came to perceive their security needs as different from those of the government. Sellers and buyers alike complained that security evaluation slowed adoption of current IT hardware and software.

For all those reasons, the procurement process has not so far turned out to be an effective way to influence network security.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

Cybersecurity regulation had been talked about for years. The Bush Administration had floated the possibility in 2002. Or, to be more precise, Richard Clarke had floated the idea.

Clarke was a flamboyant bureaucratic warrior camouflaged by the dress and haircut of a high school math teacher. A career official with a knack for building empires -- and making enemies -- he had risen to take charge of both cybersecurity and terrorism policy in President Clinton’s National Security Council. He later became famous briefly for his scathing denunciation of the Bush White House’s response to terrorism warnings.  But in 2000 he was better known as the man who had sponsored the failed Clinton Administration plan to build a monitoring network.

Clarke was held over by the Bush Administration, with the same two portfolios he had held under President Clinton -- terrorism and cybersecurity. But he never seems to have gained the same support in the new Administration as he had in the old one. After the attacks of 9/11,  pushed out of the terrorism job, he poured himself into his cybersecurity role, spending much of 2002 drafting a strategy for the new Administration. 

Always a hard-charger, Clarke had high ambitions for his new effort. He planned a grand event to unveil the strategy in September of 2002. Reportedly, the strategy sidled up toward new mandates for industry, calling on technology companies to contribute to a security research fund and pressing Internet service providers to bundle firewalls and other security technology with their services. But just days before the event, Clarke’s wings were publicly clipped. Industry had found more sympathetic ears at the White House, and he had too few friends at the top. His carefully honed strategy was unveiled, not as a final document but merely as a draft, for comment. And even for that purpose, anything that could offend industry, anything that hinted at government mandates, was stripped out.

For Clarke it must have been the final straw. He’d already been pulled off the terrorism account with brutal swiftness after 9/11, and now his year of effort on cybersecurity had ended in a public rejection of his work.

He stayed in the White House just long enough to produce a final strategy document that was as tepid as the draft. Then he quit.

Industry had claimed another scalp in its long campaign to head off federal mandates aimed at improving computer security. The President (though not industry) eventually paid a heavy price for Clarke's resentment.  The one-time security adviser became a harsh Bush critic, in testimony before the 9/11 Commission and other writings.

I thought of Clarke’s fate as we put together the report. Regulation had become an electrified third rail. Especially in a generally business-friendly administration, advocating more regulation was not likely to be career-enhancing.

But the status quo clearly wasn’t working. Moore's law was working against us. We had to find a way to change incentives, to get  information technologists to start building security into the foundation of our networks. It’s not that I thought regulation was always going to be the right answer. But I was sure that it had to be on the table. Especially because regulation didn’t have to mean classic command-and-control Federal Register rulemaking.

Government doesn’t have to issue mandatory rules to influence private sector behavior. It can use a variety of incentives to encourage security. So the policy office laid out a range of approaches, ranging from soft to hard.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

By the end of the Bush Administration, DHS was used to the idea that even the most obvious security measures would be opposed by privacy groups. We still had an obligation to do what we could to head off the building security risks.  We also knew intrusion prevention, valuable as it was, wouldn’t do that by itself.

We needed a broader strategy. In mid-2008, the Homeland Security Council asked DHS to provide options for a set of long-term strategy questions. The policy office was assigned to pull them together.

We found a lot of tough tactical questions that needed to be answered, but the real problem was our strategic posture. And only two ideas that offered any hope of curing our strategic vulnerabilities – attribution and regulation.

Attribution

Here’s our strategic security problem in a nutshell:  We are attacked every day by an imaginative, highly motivated, and anonymous adversary.   We can only prevail if we mount near-perfect defenses.  And, since there's no penalty for mounting an attack, the adversary simply tries again and again until something work.

This defensive strategy is, quite simply, too hard. A wholly passive strategy almost never works in the real world.

Take burglary. We certainly spend money on defense. A good lock on your door can keep burglars out of your home. But the lock isn’t all that good by itself. We take it for granted that burglars can’t sit on our doorsteps day after day, studying our lock and trying new lockpicks every evening to see what works. If they could, they'd find a way in sooner or later.

Burglars don’t sit on your doorstep because they're afraid of being busted. It’s the threat of the police that makes your lock as effective as it is.

Defending networks is the same kind of problem. Security measures are all well and good, but unless we can also identify and deter attackers, defense alone will never do the job.

We have a lot of ways to punish attackers once we identify them. It's identifying them that’s hard.

We began by trying to use the tools of law enforcement to identify the attackers. Practically all computer attacks are crimes, after all. They usually violate fraud, extortion, and computer abuse laws. Many attacks would be deterred if the perpetrators faced a realistic risk of arrest and prosecution. 

But crossing international boundaries on the Internet is easy. Attackers discovered very early that they could cover their tracks by breaking into lightly guarded computers in several countries and hopping from one to the next before launching an attack on their real target. That way, the police would have to track them back from country to country before discovering their real location. And doing that would require subpoenas valid in each country.

That wasn’t easy. To get one country to enforce another country’s subpoena requires patience and lengthy legal analysis. The country that’s being asked to enforce the subpoena will only do so if it too views computer attacks as crimes. It has to have the ability to carry out the search very quickly. Otherwise the logs will be overwritten and the evidence gone. Indeed, unless the information can be gathered nearly instantaneously, the attackers will always have the advantage. They can compromise new machines and add new hops to their route faster than the police can serve subpoenas to track them.

This problem has been obvious for more than two decades. The United States began encountering it in the 1980s, and by 1989, it had persuaded the Council of Europe to propose work on an international agreement to streamline the identification process. Getting that far took great effort.  The Justice Department had to explain why it needed such an instrument over and over to less computer-savvy governments.

Not until late 2001 was there actual agreement in principle on a few very basic steps – making computer hacking a crime and naming a contact point to handle subpoena requests quickly. And that simply marked the start of a long slow international lawmaking process. The convention didn’t come into effect until 2004, when a grand total of three countries ratified it. As of 2009, fifteen countries had fully ratified and acceded to the convention, and 28 more were in various stages of adopting it. As international efforts go, that is a considerable success (although the numbers are inflated by the European Union, which has pressed its 27 members to join, along with EU satellites like Liechtenstein).

And what does the Convention do to solve the attribution problem?  In essence, the members of the Convention have agreed that they will adopt a common set of computer crimes and that they will assist each other in investigating these crimes.

That’s it. A good thing, no doubt, but hardly likely to stop the massive attacks we see today. Hackers have compromised hundreds of thousands, sometimes millions, of machines. If they chose to hop from one of those to the next before launching an attack, the authorities would need to serve hundreds of thousands of subpoenas in dozens of countries – and to do it as fast as the hackers could move from one machine to the next. The hackers can move at the speed of light – literally.  The governments can move at the speed of paper, courts, and sealing wax.  It's no contest.

At best, the Convention offers a partial solution to computer crime as it existed in the 1980s. But building a consensus for even its limited  measures took over a decade. And even then, the consensus was distinctly limited in geographic reach. Neither Russia nor China has shown any inclination to adopt the Convention. Nor, for that matter, have thoroughly wired countries like South Korea, Brazil, Nigeria, Singapore, and Australia. So even if we still lived in the 1980s, there would still be plenty of places in the world for hackers to hide.

The only alternative to the Convention that the international community has found is worse – and in a thoroughly predictable ways.  Led by Russia, the United Nations has recently been touting the idea of “disarmament talks” for cyberspace. 

There are several possible motivations for such a proposal.  One possibility is that the Russians genuinely believe that an arms control treaty for cyberspace would be good for all concerned, demilitarizing and taking the fear of disaster out of the networks on which the world relies.  Unfortunately, that’s not particularly likely.  You can't have a real arms control agreement unless you can verify compliance.  But as we’ve seen, a principal feature of computer attacks is the difficulty of attribution.  If attacks continued after “disarmament” how would we know that anyone had disarmed?   

The Russians model seems to be the multilateral chemical and biological weapons conventions negotiated in Geneva during the Cold War.  By the usual standards of the international community these are wildly successful agreements, adopted by more than 150 countries.  They proved wildly successful from the Soviet point of view as well, since the United States actually abandoned its chemical and biological weapons after signing the conventions while the Soviets kept theirs in place.  Even more remarkably, the United States managed to get a black eye in the process, because it had the temerity in 2001 to tell the international community that the convention was unverifiable, that it could not prevent proliferation of biological weapons, and that there was no point in establishing intrusive inspection regimes that would not work. 

From the Russian point of view, replaying this drama has no downside.  If an agreement is reached, the US, with its hypercompliant legal culture now fully integrated into military planning, will undoubtedly adhere to any ban the new agreement imposes.  But countries that want to use the tools of cyberwarfare will be free to do so, relying on the anonymity that cloaks attackers today.   If the US sees that trap and refuses to accept an unenforceable agreement, the international community will replay the drama that accompanied the US refusal to negotiate an unenforceable biological weapons protocol.

Just agreeing to consider the proposal, as the new Administration seems to have done, allows Russia to divide us from our allies in Europe -- who always seem eager to put new international legal limits on warfare, even if the limits can’t actually be enforced. 

In the end, then, our inability to solve the problem of attribution and anonymity poses severe threats not just to our pocketbooks but to our national security and our international standing.  We thought that it was foolish to solve the problem with what Harvard law professor Larry Lessig once called “East Coast code” – laws and treaties.  Instead, we thought, the answer would prove to be “West Coast code” – software and hardware design. In the long run, we needed an architecture that automatically and reliably identifies every machine and person in the network. 

We knew that privacy groups would melt down if anyone proposed to do that for the Internet. Anonymity has become (wrongly in my view) equated with online privacy. Any effort to cut back online anonymity will be resisted strongly by privacy groups. And they'll be able to find popular support, at least for a time.  Practically everyone does something on line that they are ashamed of.

At the same time, practically everyone spends large parts of the day on a network where their every action is identified and monitored. Most corporate networks have robust attribution and audit capabilities, and the insecurity of the public networks is forcing private networks to study the conduct of their users ever more closely in the hopes of identifying compromised machines before they can cause damage.

In trying to chart a broad network security strategy, I thought we needed more research and incentives to improve audit and attribution capabilities in hardware and software. And we needed architectural and legal innovations to encourage one secure and attributable network to link up securely with another. In the long run, and perhaps in the short run, that sort of organic linking among attributable systems may be the only way to build a network on which identification is rapid and sure.

That doesn’t mean the old, anonymous Internet has to disappear. But I suspect we’ll have to create a new network that coexists alongside the old one. Users who value security – who want an assurance that their financial assets and their secrets will not be stolen by hackers– will choose the secure alternative, at least most of the time. 

The policy office at DHS put that idea forward as an option for consideration by the Homeland Security Council.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

It’s remarkable when you think about it. Right now, this minute, agents of an authoritarian government are covertly turning on cameras and microphones in homes and offices all across America, spying on the unsuspecting and the innocent. They’re recording our every thought, our every keystroke, as we prepare private documents or visit websites.

And they’re able to do that today thanks to the hard work of privacy advocates.

How did the privacy community end up facilitating surveillance and espionage on an unprecedented scale?  History, mainly, and a lack of imagination.

The men and women who built the computer industry grew up in a very different era from those who pioneered the air travel industry.  Air travel enthusiasts first launched commercial flights between the two world wars, when government was big and military risks were on everyone’s mind. The pioneers were children of their age.  They foresaw a world in which air travel was used for military and espionage purposes; they understood that unregulated flights could lead to disaster as the skies filled up. To manage those risks, they helped the government fashion a comprehensive regulatory scheme for pilots, airlines, and airplanes.

Computer technology, in contrast, was born in the wake of World War II, at a time when the challenge of totalitarianism was on everyone’s mind. The men and women who built the earliest computers were children of a different era.  They most feared that their machines would be misused by authoritarian governments. Unlike an earlier generation of technologists, they struggled to limit government’s role in their industry. And they succeeded. From electronic intercepts to information processing practices, for the next forty years, laws on information technology were aimed as much at regulating the government as at regulating the industry.

By the time the threat of widespread computer misuse finally arrived, the privacy groups already had a narrative fixed in their mind. They could not imagine any threat to computer users’ privacy that could be worse than the one they saw in the United States government. Saying no to the government was their default position.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

It didn't matter how obviously necessary a security measure was.  Resistance to any change was strong. A case in point was the effort to install intrusion monitoring on the federal government's own networks.

To succeed, most cyberattacks must do two things. The hackers first have to get malicious code into the network they’ve targeted. Then they have to get stolen information out. If we can detect either step, we can thwart the attack. So one way to defend our networks is to do a thorough job of monitoring traffic as it goes in and out.

We’ve known this for a decade. The Clinton administration’s cybersecurity strategy, drafted in 1999 and released in early 2000, called for a network of intrusion detection monitors that could inspect packets going into and out of all federal government networks. President Clinton requested funds for intrusion monitoring in his outgoing budget. But civil libertarians quickly launched a campaign against it.

It was an odd battle for them to choose. The point of the monitoring network was to inspect government communications. Even the most extreme privacy zealot shouldn’t be shocked to discover that the government was reading its own mail, much less that it was inspecting its mail for malware.  By then, government agencies were already screening emails for spam; the intrusion detection network simply extended that concept to other unwanted packets. What’s more, since roughly the 1980s, these computers had been displaying warnings users that government systems are subject to monitoring.

But privacy groups were spoiling for a fight. They portrayed the proposal as the second coming of Big Brother.

"I think this is a very frightening proposal," an ACLU representative told ZDNet News.

"We feel the government should spend its resources closing the security holes that exist, rather than to watch people trying to break in," said a counsel for the Center for Democracy and Technology.

"I think the threats (of network vulnerability) are completely overblown," said the general counsel for the Electronic Privacy Information Center, adding that claims of a security threat is leading to "a Cold War mentality" that threatens ordinary citizens' privacy.

In the end, civil liberties resistance was so strong that only the Defense Department was allowed to build an intrusion detection network. For years thereafter, the civilian agencies experienced intrusions that could have been prevented by the intrusion prevention system proposed by President Clinton. But once burned was twice shy. The privacy groups had thoroughly tainted the idea of intrusion prevention on the Hill, and there was real reluctance to revisit the issue. When the Bush Administration wrote its cybersecurity strategy, it did not even try to revive the idea.

Finally, though, five years later, the Bush Administration decided to force the issue. Mike McConnell, the Director of National Intelligence, had been my boss at NSA, and he had spent the years after leaving NSA building a cybersecurity practice at a large consulting firm. A quiet, self-deprecating Southerner with a talent for briefing higher-ups, McConnell was determined to move cybersecurity to the front burner.

He didn’t have to work too hard to persuade DHS to take on the challenge. We were alarmed at the ease with which attacks were being launched against civilian agencies. With the backing of President Bush and Mike McConnell, we again proposed an intrusion detection network for civilian agencies. And civil libertarians once again renewed the fight to stop us – as though nothing had changed in ten years. Without the slightest evidence of irony, they again raised privacy objections to the government monitoring its own communications.

We got further than President Clinton did, but not much. Congress appropriated funds for the project, but it had not been fully implemented when Barack Obama was elected President. Spooked by the privacy outcry, the Obama Administration postponed full implementation of intrusion monitoring so that it could again examine all of the privacy issues. Pilot projects are underway, but final decisions about how, when, and whether to implement effective intrusion monitoring are still awaiting consensus among the lawyers.

Meanwhile, attacks similar to those that compromised the Dalai Lama’s network are continuing. The privacy debate had caused ten years of delay, and it may yet kill an effective intrusion prevention system.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.   

--Stewart Baker

omehow, this problem too ended up on DHS’s plate. We were supposed to figure out what could be done to improve the country's network security.

It was a snakebitten assignment. Two Presidential cybersecurity strategies – one devised by the Clinton Administration and one by the Bush Administration -- had already run into the ground before DHS was created.

Perhaps those who created DHS hoped that it could succeed where two Presidents had failed. In any event, they gave the new department responsibility for civilian cybersecurity. The National Communications System, which ensures the availability of telecommunications in the event of an emergency, was transferred from Defense. The FBI gave up its National Infrastructure Protection Center, which focused on cybersecurity (and promptly recreated the capability under another name so that it could keep fighting for the turf). The Federal Computer Incident Response Center, which handled computer incident response for civilian agencies, came over from the General Services Agency.

These offices fit well with other DHS missions.  Two of its big components -- the Secret Service and Immigration and Customs Enforcement -- have  cybercrime units. And DHS was supposed to protect from physical attack the critical infrastructure on which the economy depends.

In carrying out these duties, DHS could get technical help from the National Security Agency, which was in charge of protecting military and classified networks. But the responsibility for civilian cybersecurity obligations left DHS on the hot seat. If we couldn’t find a way to head off disaster, no one else in government would.

For the first few years of the department’s existence, to be candid, we didn’t accomplish much. There were lots of reasons for that. Fixing travel and border security was more urgent. Staff turnover was high and expertise  thin in our cybersecurity offices. But the real reason we didn’t get far was that the same forces arrayed against change in the travel arena were lined up against change in information technology.

Businesses had staked their futures on continued exponential growth in information technology. They didn’t want policy changes that might change the slope of that curve even a little. Privacy groups instinctively opposed anything that would give the government more information about, well, about anything. And even when it was supportive, the international community was so slow to change direction that it posed an obstacle to any policy that was less than twenty years old.

This is another excerpt from my book on technology, terrorism, and DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

You might think that’s the worst of it.

But it’s not, quite. It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing:  Attacked at home and forced to give up cherished principles or loyal allies to save ourselves.

Plenty of countries are enthusiastic about using hackers’ tools as weapons of war. At the start of a 2008 shooting war between Georgia and Russia over South Ossetia, for example, numerous Georgian websites were swamped by denial of service attacks. Security researchers found evidence that the attacks were coordinated and organized by Russian intelligence agencies. The year before, Estonian government agencies and banks were also crippled by denial of service attacks after the Estonian government moved a World War II memorial that had become a symbol of Soviet colonial rule. Estonia’s foreign minister charged that the Russian government was behind the attacks; Russia denied the allegation and NATO, and European investigators could not refute the denial.

China has also been accused publicly of audacious computer attacks. The German Chancellor, Angela Merkel, discovered that her office computers had been compromised in an attack blamed on the People’s Liberation Army.  India, France, and Taiwan have also suffered intrusions and attacks attributed to China. The compromise of the Dalai Lama’s network was also widely blamed on China. Like Russia, China has consistently denied all charges.

As I said before, in a strategic sense, the denials don’t really matter. If the attacks weren’t carried out by Russian and Chinese government agencies, that just means that there are more organizations and countries with effective cyberintelligence and cyberwarfare capabilities than we thought. And, in fact, five or ten years from now, there will be. That’s because cyberattacks don’t require heavy capital investments, the way nuclear weapons or stealth fighter jets do. Any nation willing to put ten of its best computer experts to work on a cyberintelligence program could probably have one in a year or two. (The Conficker worm that brought down British and French military systems could easily have been written by a single well-trained person.)  Many cyberattacks are simply a matter of individual effort. Put enough smart people on enough targets, and some of them will get through.

And that’s why attacks on computer networks pose such a strategic threat to the United States in particular. We are an important intelligence target for practically every nation on earth. And attacking our networks is nearly risk free; the list of suspects is about as long as the UN membership roster. In fact, there are incentives for them to help each other break into our networks. (“I've seized control an email server at USDA, but what I really want is USTR’s. Want to trade?  I could throw in the Commerce Secretary’s password to balance the deal.”) 

If you’re a foreign government, breaking into US networks is a twofer. You can start by stealing secrets. But if push comes to shove, you can use your access to destroy the same systems you’ve been exploiting. Corrupt the backup files, then bring the whole system down. Or start randomly changing data and emails until no one can trust anything in the system.

It won’t take much to create chaos. The financial crisis of 2008 became a panic when bankers began to disbelieve each other. No one trusted the other guy’s books, so they stopped lending, and the world crashed. Could that same mistrust be created by modifying or destroying a few firms' computer accounting and trading records?  We probably don’t want to find out.

It’s no secret how to fight a war against the United States. Slow us down, then cause us pain at home and wait for antiwar sentiment to grow. Cyberattacks are ideal for that strategy. Everything in the country, from flight plans and phone calls to pipelines and traffic lights, is controlled by networks susceptible to attack. A determined, state-sponsored attacker could bring them all down – and blame it on some hacker liberation front so we wouldn’t even know who to bomb.

The Pentagon has heard fifty years of warnings about not fighting land wars in Asia, where hand to hand fighting and sheer numbers can overwhelm an American army’s technological edge. But now it turns out we’ve opened an electronic bridge, not just to Asia but to the rest of the world, and now we’re trying to defend ourselves hand to hand against all comers. It’s hard to see how that ends well.

***

So that’s the nub of the problem. No law of nature says that the good guys will win in the end, or even that the benefits of a new technology will always outweigh the harm it causes.

The exponential growth of information technology has made the Pentagon far more efficient at fighting wars; it has made our economy far more productive.

So far, it’s been very good to us as a nation.

But it was good to Howard Crank, too, for a while. 

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

Maybe you’re not ready to agree with me. Maybe you’re worried that these security alarms are a little too convenient – perhaps just an excuse for the government to spy on Americans and interfere with the economic engine of Silicon Valley. Surely, you think, there are still a few good defenses left.

Well, let’s take a look at some of the top reasons that people think computer security risks can be managed successfully.

It’s a Microsoft Problem. I know plenty of people who still believe that Microsoft’s products are uniquely insecure, and that all we need to do is get Microsoft to clean up its act or take our business elsewhere. For some, the security of Linux was an article of faith; its source code is open to inspection by anyone, so it is protected from exploit by all those watching eyes. And Apple, which didn’t even offer an antivirus program for decades, was protected by, well, by Steve Jobs’s sheer animal magnetism.

The last few years have been hard on those illusions. As Apple gained market share, malware authors began writing for its operating system, and they didn’t have any trouble finding holes. It turns out that, according to a 2009 Blackhat talk, even Apple’s keyboards can be hacked to reveal all the user’s keystrokes. Apple now recommends that its users run multiple antivirus programs. 

And all those eyes on Linux’s code?  In August of 2009, they discovered a bug in the central core of Linux; it would allow an attacker to acquire complete administrative control of any machine he could touch. You might call that a success for open source, except that the bug had been hiding in plain sight for at least eight years.

Turns out the reason there is so much malware running on Windows is the same reason there are so many other applications running on Windows. That’s how to reach the largest number of users.

It’s a Password Problem. I used to take a lot of comfort from the fact that I didn’t use just passwords for the things I most wanted to keep secure. I used a token. Every 30 seconds it displayed a different security code, known only to me and my home server. Even if a hacker could compromise my machine and record all my keystrokes, he couldn’t know what the token was going to say next.

But this is the age of Twitter – and real-time hacking. For at least the last couple of years, criminals have been able to beat these token systems. Now, when the owner of a compromised machine starts typing in his temporary code, the malware phones home immediately. As the owner types, each digit is sent to the hacker, who simply logs in with him.

Really Important Transactions Can Be Confirmed Offline. If you’re really worried, you may have locked down your financial accounts, so no money can leave the institution without a call to verify the transaction. In fact, even if you haven’t locked everything down, you may get a call. Like the credit card companies, mutual funds and financial institutions have stopped trusting their customers’ computers.  For risky transactions, they insist on offline, or out-of-band, confirmation.

Out-of-band communication is today’s most common failsafe solution for computer compromises. To restore control of his Facebook account, for example, Bryan Rutberg had to send Facebook a separate, out-of-band message from a separate account.

But using another line of communication won’t solve the problem for long. Hackers have already begun to build blocking programs into their malware. The programs prevent users from getting to websites that might detect and cure their infections. In the future, these programs may be able to thwart other efforts to cure an attack – diverting emails, for example, or corrupting  the user’s attempts to log on to hijacked sites.

The banks’ offline solution is also at risk. Finding a truly offline method of communication is going to get harder. Businesses and consumers are switching in large numbers to “voice over IP,” or VOIP, telephony. They cannot resist the allure of bringing to voice communications the cheap, flexible features of Internet communications. They cannot resist going just a little faster on the bike.

But the switch means that they are also bringing to voice communications all the insecurity that plagues other Internet communications. This raises the prospect of a whole new set of attacks, from “voice spam” and fraudulent telephone calls to the theft of incoming and outgoing phone calls. If an attacker who has compromised your computer’s online bank account is also able to appropriate your Internet telephone, then it will be easy for the attacker to answer the phone when the bank calls – and to confirm that you really do want to transfer your life savings to Spain or Nigeria. At that point, it will be cold comfort that switching to VOIP cut your monthly phone bill from $40 to $10 or even to  $0.

The Military Has Solved the Problem With Classified Networks. The government used to have its own illusions about security. Maybe our unclassified networks are compromised, Defense Department officials used to say, but the classified networks are still bombproof. They can’t be compromised by all this malware floating around the Internet. Because they aren’t connected to the Internet. There’s an “air gap” between the two.

That assumes of course that network security decrees are perfectly enforced – and that the most important secrets are only discussed on classified networks -- notions that contradict everything we know about human nature.

But never mind, because the air gap illusion too has fallen prey to the exponential empowerment of hackers that we’ve seen in recent years.

The French navy’s Rafale Marine jets train out of Villacoublay air base, in the southwest suburbs of Paris. These fighters are state of the art, packed with stealth and electronic warfare capabilities and capable of landing on carriers. But to do that, they first have to take off. And for two days in January, the jets couldn’t take off. They’d been grounded by a hacker.

The “Conficker” computer worm had been exploiting vulnerabilities in Windows servers for months. It was the most ambitious computer infection in years. At the time it had infiltrated as many as 15 million machines around the world. One of the ways it spreads is by infecting the USB thumb drives that carry data from one machine to the next. Even classified or isolated networks could be captured if a bad thumb drive was used to transfer data to a machine on a secured network.

That’s what grounded the French fighters. Before the navy even knew it was under attack, the worm was coursing through its internal network. Rushing to contain the damage, the navy told its staff not to turn on their machines, and its systems administrators began quarantining parts of the network. Too late for Villacoublay. Its systems were already hosed.

The Rafale fighter downloads its flight plans, a far more efficient process than paper-based systems. But once the contagion had spread to Villacoublay no flight plans could be downloaded. Until an alternative method of delivering the flight plans could be cobbled together, the Rafales were no more useful than scrap iron.

The French press reported the embarrassment in detail. Perhaps as consolation, it was careful to note that things could have been worse – and were, in Great Britain. There, the press said, 24 RAF bases and three-quarters of the Royal Navy Fleet had succumbed to Conficker.

The British and French navies may have been unintended victims of a worm designed for criminal ends. But after Conficker, no one can believe that an air gap is a security fail-safe.

They’re Not Looking for Me. The last of the illusions, or at least the last of mine, is that I’m just not that interesting. Other people have more money. Other people have more valuable secrets. Who’s going to come looking for me?

That’s the last hope of every herd animal. The predators can’t eat everyone. If you lay low and blend in, they won’t pick you.

Wrong on two counts, I’m afraid. First, take this test. Add up your savings, car value, house equity, and investments. Is the total over $65,000?  If so, you’ve got a lot of company on the globe. Probably ten percent of the world’s 6.8 billion people have assets exceeding that amount – say 700 million in all. Being one in 700 million sounds like pretty good herd-animal odds until you realize that, for every person with more than $65,000, there are nine people with less.

As computers become exponentially cheaper, most of those nine people will be able to get on line. Then there will be nine people looking for ways to take money from you. And another nine for your spouse, nine for your neighbor, and nine for each of your business partners. Maybe nine each for every person you know.

So they can eat everyone.

There are already Nigerian hip-hop anthems and videos celebrating the rolling-in-money “Yahoozees” who fleece Americans like Howard Crank. The world is already full of scam artists willing to work for less than minimum wage. Most of them know English and have access to the Internet.    

The relentless march of empowerment will soon give the Yahoozees of the third world new tools for finding you. In a way, that’s what a Spanish lottery email does. Most of us delete lottery spam. But if one in ten thousand responds, even with great caution, that person has selected himself for fleecing, and the pitch can then be tailored precisely to his failings. So what if that part of the scam is a bit labor intensive?  There are nine people with nothing better to do than sit around trying to get into the mark’s head.

Remember that real-time password-stealing program?  Well, the thieves don’t have to go looking for rich people to infect. Instead, they infect everyone, and let the malware find the rich ones. The password-stealing program consumes an infinitesimal part of a modern chip’s processing power to run quietly in the background, watching and waiting until its victim logs on to one of about 1500 predetermined financial sites. Anyone logging in to one of those sites, the authors figure, probably has enough money to be worth cleaning out. So when an infected computer sets itself apart from the crowd by logging on to a financial site, the malware alerts its author, who can now focus on taking money from that computer’s owner.

Moore’s Law has taken a lot of the work out of the hunt. And, thanks to the empowerment of information technology, it will keep making the job exponentially easier, year in and year out.

Until the predators find you, too.

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

The Office of His Holiness the Dalai Lama is partly a religious, partly a diplomatic mission. The Dalai Lama travels widely and seeks audiences with foreign diplomats and officials to demonstrate support for his faith and for Tibetan independence. The Chinese government in turn vehemently opposes an independent Tibet and does all it can to discourage official meetings with the Dalai Lama.

The Dalai Lama’s travel schedule is thus a matter of high state interest, and the planning of his meetings has an element of cat and mouse about it. The Dalai Lama’s office finds that the best way to set up those meetings is first to send an email to the officials the Dalai Lama hopes to meet and then follow up quickly with a telephone call.

But around the early part of 2008, something odd began to happen. The Dalai Lama’s office would send an email to a diplomat as usual proposing a meeting. Then it would call to discuss the details, again as usual. But the diplomat’s office would be strangely cool. “We’ve already heard from the Chinese government,” the diplomat’s staff would say, “and they’ve strongly discouraged us from having this meeting.”

***

The Dalai Lama and his office had been using the Internet since the 1990s.   His network administrators know the risks, and they'd been careful about computer security for years. They’d implemented the standard defenses against network attacks. They didn’t know what had happened. But the evidence of a serious breach was simply too strong.

They called in a team of Western computer security experts. What the experts found was deeply troubling, and not just for the Dalai Lama.

Some of the Dalai Lama’s staff participates in Internet forums. They chat with other, like-minded individuals about the Dalai Lama’s goals and activities. Sometimes one of their online acquaintances sends them Word or .pdf documents relevant to those activities.

The experts concluded that hackers had monitored these forums and then forged an email from a forum participant to a member of the Dalai Lama’s staff attaching a document of mutual interest. When the staff member opened the document, he also activated a piece of malware packed with it. While the staff member was reading the document, the malware installed itself in the background.

The malware was cleverly designed; two-thirds of commercial antivirus software programs would have missed it. (Hackers often subscribe to antivirus software so they can test their malware against it at leisure.)  Even if one attachment was stopped, it would be a simple matter to retransmit the message using a different bit of malware; the attackers could keep trying until something got through.

Once installed, the malware would “phone home,” uploading information about the victim’s computer and files to a control server operated by the hackers. Next, the captured computer would download more malware to install on the staff member’s machine. This was often a complete administrative program that would allow the attackers to control the staffer’s computer, and in some cases the entire network.

The administrative malware took full advantage of the empowerment made possible by today’s technology. It featured a graphic interface with dropdown menus offering even an unsophisticated attacker a wide variety of options.

Want to record every keystroke as the user types so you can steal all his passwords?  Check one of the options on the menu.

Want to turn on the user’s microphone, turning it into a bug so you can listen to the office conversations?  Check another box.

Want video straight from the user's desktop camera?  That's just another option on the menu.

In the end, the Dalai Lama's office was living a version of Orwell's 1984.  Telescreens in each room spied on the occupants.  But in this version of 1984, Big Brother didn’t even have to pay for this spy equipment. It had been purchased and installed by the victims.

Once the hackers had compromised a single computer on the network, it wasn’t hard to compromise more. Every time an infected computer sent a document by email, malware could be attached to the file. The recipient couldn’t possibly be suspicious; the email and attachment were exactly what he expected to receive from his colleague. He opened the document. The malware installed itself in the background. The cycle began again.  It was an entire network of surveillance, dubbed Ghostnet by the security team.

Ghostnet has lessons for all of us.  You may be sure you wouldn’t fall for the Spanish lottery, and perhaps not even for a Facebook call for help, but it’s hard to find any comfort in this story.

Do you rely on standard commercial antivirus software to scan attachments?  Do you open documents sent by people you’ve met on line?  How about documents from prospective customers or clients?  Or old friends you recently connected with on line?  Do you open mail and documents sent to you by coworkers?  

Of course you do. So do I. And that means that most of us are no more able to defend ourselves from this attack than the Dalai Lama was.

If there were any doubt about the scope of such attacks, they were eliminated by what  the security team did next.

They took another look at the IP address of the hacker’s control server, and asked a simple question.

“Do you think hackers who need a graphic interface to steal secrets are really good at locking down their own computers?” I imagine the Canadian team sharing a mischievous smile as they asked.

Perhaps a veil should be drawn over exactly what they did next. Hacking is illegal in most jurisdictions, even if you're hacking someone who has just hacked you.  Using methods they decline to specify, the security team was able to verify that whoever attacked the Dalai Lama’s network was indeed much better at breaking into other people’s computers than at keeping intruders out of their own.

Finding themselves inside the hackers’ control servers, the security team naturally had a look around. They watched as reports came in from the Dalai Lama’s computers. But that’s not all. Reports were coming in from other computers as well. Hundreds of them.

The hackers who compromised the Dalai Lama’s network were collecting data from nearly 1300 other computers. Who else had been targeted by the attackers?  That wasn’t hard to find out. All the security team had to do was to ask who owned the IP addresses of the compromised computers.

What they found was a Who’s Who of Asian organizations that ought to be highly concerned about -- and pretty good at -- computer security. Indian embassies in the United States, Germany, and the United Kingdom. The foreign ministries of Iran, Indonesia, and the Philippines. The Prime Minister’s office in Laos. All were in thrall to the attackers’ servers. Computers in sensitive businesses, from the Asia Development Bank to Vietnam’s petroleum company, were also sending the attackers their data.

And, even though this set of attacks does not seem to have been aimed at the United States, Ghostnet was collecting reports from computers that belonged to Associated Press and the auditing firm of Deloitte & Touche.  Oh, and NATO too.

No one was safe.

The security team split on the question whether to assign responsibility for Ghostnet to China. Some said it must be the Chinese government. Others were willing to let the facts speak for themselves. The Chinese government denies everything.

But there’s not much comfort for us in the denials. The attacks happened, and they worked. If a government wasn’t responsible, then this kind of capability is already in the hands of organized crime. Indeed, with its script-spy graphic interface and unsecured control servers, the whole episode underlines a troubling fact. Thanks to exponential empowerment, today’s hackers don’t even have to be very good.  Empowered by democratizing technology, they can still beat our best defenses.

In fact, something similar to Ghostnet is already being used by organized crime.  Most businesses depend on bank clearinghouse accounts or electronic fund transfers to pay their bills.  They log on to bank sites using passwords; for larger amounts they may also be asked a set of “challenge questions” seeking information only the businesses know.  But corporate officials also open email attachments from business contacts, and once attackers have access to the officials' keystrokes, neither the password nor the challenge questions offer any security.  Hackers have stolen more than $100 million from US businesses using this technique, the FBI reported in October 2009.

I wasn’t in government in 1998 or 2003, when the Clinton and Bush administrations called for new computer security measures. I didn’t get the classified briefings that galvanized both presidents. Now I figure I don’t have to.

This is scary enough.

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

The young Tibetan girl waited quietly in line at the border. Call her Dechen, though that’s not her real name. She had spent two comfortable years studying in Dharamsala, India. Now she was going home. She had made the long trip across Nepal to the border with Tibet. The border crossing made her uneasy, but she told herself the Chinese border guards had no reason to stop her.

Dechen was a follower of the Dalai Lama, and she had spent much of her time in India conducting computer chat sessions with his supporters inside China. But she had been careful. She really had been a student. There was no way the Chinese government could know what else she had done. Or so she hoped.

Dechen stepped forward and presented her identification to the guards. They looked it over with care. Too much care. Something was wrong. Her heart sank. She was under arrest.

She spent months in captivity. Dechen clung to her story.

– I was a student. They cannot know what else I did, she must have told herself.

But over and over, intelligence officers accused her of working for the Dalai Lama’s youth group. Over and over, she denied it. She was being held incommunicado, without support from friends or relatives, but if she held firm, they would have to let her go.  She stuck to her story.

Finally, the officers lost patience. They showed her a file. It held a full transcript of her online chat sessions. It covered years. They’d known everything, recording it as she typed. All her attempts at security, all the work of the Dalai Lama’s youth group, had been defeated. They knew her coworkers too. They could expect the same treatment she got, or worse, if they returned. It was over.

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

No one can say we weren’t warned. The United States government told us all that a computer security crisis was brewing. Twice, in fact, and under two different Presidents.

President Clinton cautioned in January 1999 that “We must be ready--ready if our adversaries try to use computers to disable power grids, banking, communications and transportation networks, police, fire, and health services--or military assets."

A year later President Clinton proposed a series of measures to address the security problem.

Two years later, President George W. Bush created a special adviser on cybersecurity who spent a year developing a computer security strategy.

Neither effort made much headway. The public didn’t see the problem. The network attacks that alarmed Washington were classified. Officials couldn’t talk about them. Meanwhile, privacy and business interests worked overtime to persuade the public that national security concerns were overwrought. The real risk was government monitoring and government regulation, they insisted.

And, by and large, that was the view that prevailed -- twice, and under two Presidents. Nothing was done about computer security that anyone in the privacy or business lobbies might object to.

In 2009, a third President promised to make computer security a top priority, and shortly after taking office, the Obama administration also produced a security strategy. Once again, though, the strategy lacked punch.  It failed to call for any action that could possibly irritate business or privacy groups. It spoke of cybersecurity only in alarmed generalities, unable to explain why Americans should be concerned enough to suffer even modest inconvenience.

But this time may be different. Thanks to the work of a band of Canadian security researchers , we now have a remarkable – and completely unclassified -- insight into just how easily computer hackers can penetrate even carefully secured computer networks.

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

One night in January 2009, at about the same time that Howard Crank was sending thousands of dollars to Spain, Beny Rubinstein was getting ready to turn off his computer and go to bed.

Suddenly he got an instant message from Bryan Rutberg, a friend who worked for a technology company. Rutberg’s message got right to the point.

"Look, I really need your help."  Rutberg had taken a quick trip from Seattle to London, where he’d been robbed. He was broke in a foreign land. His Facebook page said the same thing, carrying an update that said, "Bryan NEEDS HELP URGENTLY!!!"  Bryan needed a loan to get home.  Could Rubinstein help? 

Rubinstein could. He wired $600. That wasn’t enough, so he sent another wire transfer -- $1143 in all.

In fact, Rutberg was still in Seattle. His Facebook account had been hacked, and the hacker was messaging Rutberg’s friends, asking them all for quick wire transfers.

Rutberg, meanwhile, was locked out of his own account. He tried to stop the imposter by posting a comment on his own page, using his wife's account. Rutberg’s comment was quickly deleted, and his wife was "unfriended.”  He had lost control of his online identity to a brazen scam artist.

A couple of days later, Facebook closed down the account, but Rubinstein’s money is long gone. Neither Rubinstein nor Rutberg is a technological naïf.  But both were defeated by the mass customization of online fraud.  It's not hard to write programs that will look for weak Facebook passwords, or that will send urgent instant messages to the friends listed in compromised accounts.  Only when someone responds to the messages do the scammers need to become personally involved.  The marks are all prequalified. 

Best of all, it's possible for the scammers to get in and get out in hours, then disappear halfway around the world.  Local police are helpless; they "are not investigating this case," said a police spokesman. "It is pretty much at a dead end."

As Microsoft has tightened the operating system, hackers increasingly rely on mass social engineering and insecure applications to open a hole in the victim’s defenses. Facebook is of course free, and the company is famous for not having a revenue model to match its massive user base. So it’s not surprising that its site still has security problems. But it’s the social engineering that made this scam work. Rutberg’s friends may not trust strangers who tell them they’ve won the Spanish lottery, but they do trust him.

In fact, the combination of “authorized malware” and targeted social engineering is so powerful that, despite Microsoft’s efforts, it’s now easier than ever to compromise computers, and their networks.

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order, but I have started putting chapters up in pdf form from time to time.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

Exponential technologies always seem to serve dessert first. That's why they grow exponentially. Their benefits are immediate and irresistible, so we use them in numbers that double and double again.  It seems implausible at the start of that curve that they could be misused. Indeed, at the outset, people do use them mostly in good, socially responsible ways. I leave it to the philosophers whether that’s because people are basically good or because it takes time for people to figure out how to be bad with new technologies.

Whatever the reason, information technology certainly followed the same path as commercial jets. It took decades between the time the technology was first democratized and the first really frightening misuse.

Until the late 1980s, the risks of misuse were almost entirely theoretical. Computer viruses had been invented by then, but mainly just to show how they would work. It wasn’t until the mid-1980s that “wild” computer viruses began to spread from one PC to another via floppy disks. Then, in 1988, a worm caused much of the Internet to grind to a halt. For the academic and defense users who then dominated the Internet, the worm was a shock.  But they relaxed when they found that the worm’s author, Robert Morris, wasn’t a spy or a criminal. He was a student, and he claimed he’d been testing a concept that got out of control.

In retrospect, what’s most notable about the malware of that era is its comparative innocence. It caused damage, sure. But it was either academic or nihilistic in purpose; it demonstrated the capabilities and perhaps the ill will of the author. It wasn’t really much of a threat, although the worst examples could destroy stored data.

Most attacks were the digital equivalent of the Plains Indians “counting coup” by striking an enemy with a stylized stick and escaping. Like coup counting, the purpose of early hacking was to humiliate, not to kill. And computer security only needed to be good enough to outfox adolescent malcontents, a task both industry and government felt fully capable of handling.

By the mid 1990s, though, the Internet had become a fully democratized place, and money had replaced showing off as a motive for hackers. Spam was the earliest form of profitable Internet crime. And when network administrators started blocking spam by refusing to accept mail from spammers’ machines, hackers found they could compromise other people’s computers in bulk, then use those machines to send the messages.  If the senders of unwanted email were widely distributed, spam couldn’t be stopped by quarantining a few suspect computers.  Hacking wasn't just fun any more; it could put money in the hacker's pocket.

Once underground networks of compromised machines had been assembled, it turned out that they could be used for other profitable crimes as well. If all of the captured machines could be induced to send meaningless messages to a single Internet site at the same time, the site would be unable to process all the messages. The site would falter and fail. Legitimate users would be locked out.

Such “distributed” denial of service attacks turned into a new-style protection racket. Gambling sites, for example, simply cannot afford to be unavailable in the days and hours before the Final Four basketball tourney. If a site suffers an effective denial of service attack, there was a good chance that it will pay a reasonable “security” fee just to get back on line quickly.  That wasn't the only use to which criminals could put herds of zombie machines.  The machines could be programmed to visit ad-supported websites and mindlessly click ads, earning illegitimate click-through fees for those sites.

But security professionals at large firms still had confidence in their defenses. Denial of service was a concern, sure, but it could usually be defeated by retaining an ISP with lots of bandwidth and an ability to filter packets quickly. Distributed spam took away one tool for discouraging spam, but there were plenty of other ways to filter unwanted mail. For most users, spam was at worst a nuisance.

But malware continued to grow more sophisticated, and it could use the Internet to spread rapidly. Several viruses in 2000 and 2001 caught  large companies unprepared and forced a shutdown of their networks while the viruses were eradicated. Hackers began to find ways to intrude into important financial and military systems.

This was getting serious.

Even so, most security experts thought the plague could be contained. They blamed systems administrators who didn’t patch their systems quickly enough. Most of all they blamed Microsoft. The company had emphasized new features over security, they complained, and in its drive to be first to market it had written sloppy code. Other operating systems were said to be more secure; and many thought that relying on a variety of operating systems was inherently superior to the “monoculture” created by Microsoft.

Stung, Microsoft fought back. Bill Gates himself took on the problem. Gates was famous for his insight into the future of the personal computer. Past Gates memos had produced a profound change in Microsoft’s strategic direction, most famously when he wrenched Microsoft into the Internet age, focusing the entire company on the challenge posed by Netscape – and leading to Microsoft’s’ victory in the browser wars.

By January 2002, Gates had a new focus. He announced that security was the key to Microsoft’s future. From now on, all of its products would be built with security in their foundation: “when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.” 

The memo was a call to arms. All of Microsoft’s employees were expected to bring this new focus to their jobs. In the past, that single-minded focus had enabled Microsoft to beat some of the most talented companies in the world. IBM, Lotus, WordPerfect, Ashton-Tate, Digital Research, Sun, Real, Apple, AOL, and Borland – not to mention much-feared and rarely bested Japanese electronics makers like NEC and Toshiba –all had tried to stand between Microsoft and its strategic vision of the future. Microsoft had defeated them all.

Now Microsoft was gearing up for battle again. This time, though, it only had to beat a bunch of punk hackers. That should be a piece of cake. Once it was done, a new age of online security would dawn, with Microsoft’s trusted products at the heart of every online transaction.

More than seven years have passed since Microsoft set out to beat a ragged band of hackers. The company has rewritten its operating system more or less from scratch. And its code is indeed far more secure than in 2002.

But it has not won the war. The second Tuesday of each month still brings a boatload of corrections and patches that the company must make to even its newest and most secure operating systems. By 2009, the ragged band of hackers was looking a lot more sleek and prosperous than before, and Microsoft has suffered its first revenue decline in history.

More important than Microsoft’s security failures are its successes – and how little difference they have made. Microsoft has indeed tightened up the operating system. But the structure of the PC world has made that almost irrelevant. The point of the PC is the control it gives to the user -- who can decide what applications to run -- and to the developers -- who can create new applications quickly and easily. At the end of the day, Microsoft must empower users and developers. And so that’s what its security approach does. Windows Vista, for example, was famous for nagging at users to confirm their dangerous decisions to run new code or open new attachments – so famous that Windows 7 has had to cut back on the nagging, despite the security risks. The one think Microsoft can’t do is forbid users to make dangerous decisions. If Microsoft tried that, it would leave its users angry and looking for a new operating system. The same is true for applications; Microsoft can’t require developers to write secure code without discouraging them from writing Windows applications. And if it does that, it loses its main advantage in the market – the overwhelming number of applications that run only on Windows.

So, to the extent that Microsoft has succeeded, it has simply displaced the risk.  Online security is still getting worse, but it's getting harder to blame the operating system.  Instead of exploiting the operating system, more and more attacks exploit holes in applications. Or they induce the user to do something he shouldn’t do.

Or both...

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

Howard Crank would never have let a con man into the quiet life he and his wife were living. But the Internet that brought the world to his doorstep brought the world’s con men as well. Information technology empowered Howard Crank to search the world for old buddies. And it empowered fraudsters to search the world for the handful of people who might be ripe for their scam.

In the end, for Howard Crank, the exponential growth in information technology turned out to be a disaster. It was great for a while. He loved what the new technology did for him, and how cheaply it performed its miracles. But in the end, nothing he gained by embracing it was worth what he lost.

It is still an open question whether the rising curve of information technology will eventually leave the rest of us where it left Howard Crank. That it hasn’t happened to us yet is cold comfort. As William Gibson once said, “The future is already here. It's just not very evenly distributed.”  He was thinking of the wonders of new technology, but bad futures are distributed as unevenly as good ones.

About now, you’re probably thinking that Howard Crank, sympathetic as his story may be, just wasn’t savvy enough. You would never fall for such a scam. And you will never suffer the harm that he did.

Well, maybe not. But Howard Crank was ruined because information technology made it cheap to screen millions of people to find those who were susceptible to the lottery fraud. That same technology will make it cheap to screen the world for people and machines that are susceptible to other forms of fraud as well. You may not fall for the Spanish lottery, but you’re probably susceptible to something.  And even if you aren’t, your machines are.

Are you really sure the fraudsters won’t find you in the end?

This is another excerpt from the book I'm writing on technology, terrorism, and my time at DHS, tentatively titled "Skating on Stilts."  (If you want to read the excerpts in a more coherent fashion, try the categories on the right labeled "Excerpts from the book." I'm afraid I can't fix the bug in TypePad that prevents me from putting them in the category in reverse-chronological order.)  Comments and factual quibbles are welcome, either in the comments section or by email:  fact.check.baker@gmail.com.  If you're dying to order the book, send mail to the same address.  I'm still looking for an agent and a publisher, so feel free to make recommendations on that score too. 

--Stewart Baker

even years after 9/11, we had mounted an effective response to the challenge posed by the exponential growth of international travel.  Our procedures weren't airtight, of course; they never had been.  But we weren't flying blind either, making decisions on thirty seconds of chat and intuition.  It hadn't been easy, but at least everyone agreed that the old system had failed disastrously on 9/11. No one doubted why we wanted to do more. 

The challenge posed by computer security was different. There had been no dramatic meltdown. Most people still scoffed at the idea that the exponential growth of information technology revolution could lead to disaster.  

Yet for some of us, losses from the information technology revolution are already greater than the gains.

Just ask Howard Crank’s widow.

***

Howard Crank lived a quiet life that revolved around his modest California duplex. He was 73 years old, after all, and he had lost both legs above the knee to diabetes. His wife’s health was not good. He was living on his Air Force veteran's pension. But he could afford a computer, and he loved it. It helped him find old Vietnam buddies and research new charities to add to the three dozen he already supported.  He might be halfway to housebound, but the new technology was a godsend.  Thanks to Moore’s Law and the Internet, the whole world was at his doorstep.

The Internet, it appears, is how he discovered that he’d won $715 thousand in a Spanish lottery. Money was tight on an Air Force pension, so this was amazing news. Of course, it turned out that there were transfer taxes for him to pay before the winnings could be sent to him. It grew expensive, but his share of the lottery was also growing – to $115 million.

Howard Crank’s life savings were $90 thousand. Bit by bit, he sent it all.

It wasn’t enough. He got calls from Spain, explaining the hassles and delays. He mortgaged his home and sent the proceeds. More calls. When he wondered aloud whether he’d ever see the money, the caller asked him to have faith. They prayed together.

A few weeks later, he took out a second loan on the house. He maxed out two credit cards. All the money, perhaps $300 thousand in all, went to Spain. It was still not enough to break his lottery winnings free. He asked his stepdaughter for $40 thousand. He didn't want to explain why.

She thought that was odd. So when he was hospitalized a few weeks later with a broken leg, she checked his financial records. She found that Howard Crank had ruined himself and his wife in an apparent Internet hustle. The Spanish scam artists disappeared without a trace. Crank died of a heart attack before he could explain how it happened.

“I think he probably knew it was a fraud at the end,” his stepdaughter told me. “But he was hoping against hope. He’d sent them so much money already, and they were so convincing. But by the end he’d lost his zest for life. He was so desperate.” 

Desperate he should have been. He had not just squandered his own assets. His 79-year-old widow will lose her home and likely be forced into bankruptcy by the debts he left behind.