ARE YOU READY FOR WAR? BANKS AWAKEN TO CYBER ATTACK
by Andrew Reinbach
Thanksgiving dinner last November. William Marlow is just pushing back from the family table. The phone rings: One of his clients, an unnamed Midwestern financial institution, thinks it’s under cyber-attack. For Marlow, the next few days are all long and filled with pizza.
Marlow is a senior vice president at McLean, Va.-based Science Applications International Corp. (SCI), which operates a computer security team headed by Marlow and Dr. Mark Rasch, formerly U.S. Attorney for Computer Crime at the Department of Justice. The team has 47 bank clients worldwide, including, says the company, three of the nation’s largest.
When the call came, the computer security team assembled in their war room in McLean, established a secure link with their client’s network, and began systematically securing the client’s computer operations while metaphorically patrolling the walls, looking for anything from a simple mistake that might have accidentally set off the alarms, to a sophisticated timing attack, designed to distract the firewall while intruders slip into the system.
“What the client was afraid of was that a Trojan horse had been introduced,” says Marlow. A Trojan horse is a program that enters the computer network disguised as a harmless message, after which point it opens a so-called “back door” for the attackers.
“While we were doing that, we received a message from two individuals that was an extortion demand–we’re talking significant dollars, enough to alter our fee structure,” says Marlow.
The FBI was brought in by the client, and the two teams, working together, tracked down the perpetrators; Marlow and his team built a chain of custody of evidence for prosecution under Dr. Rasch’s supervision, while the FBI pounded the pavement, locating and arresting the criminals, who are reportedly awaiting trial.
Marlow’s client got away easy. Last June, the Times of London–an institution not known for its sensationalism–reported that several London financial institutions had paid up to [British pounds sign]400 million to fend off extortionists who used logic bombs–software programs that cause systematic errors–to demonstrate their ability to destroy those institution’s global operations. At least one of the attacks sent the proceeds to Russia, according to the story, which ran on the front page of the June 2, 1996 edition. Other journalists have confirmed the report, although officials steadfastly deny it.
At press time, the FBI said it needed more specific information before it could comment on Marlow’s experience.
Both these incidents were probably more a matter of cyber gangsterism than anything else—just a new way to hold up banks. But in today’s strange new world, they could as easily have been perpetrated for kicks by a kid in Cedar Rapids, for money by a former programmer from the Soviet Ministry of Defense working for the Russian Mafyia, or, more dangerously, by a politically-motivated terrorist trained by the CIA in Afganistan, working in the Sudan with financing from a Saudi billionaire and intending to harm America by attacking its lifeblood.
And therein lies the rub: Once a bank is under cyber attack, it doesn’t much matter whether the enemy wants your money or your life; the lines between mere criminality and political action are blurred by the anonymity of the attack. And since in cyberspace national boundaries aren’t even lines on a map, computer attacks don’t always yield to tidy legalistic solutions, even if the computer that launched the attack can be traced, and happens to be in a nation with laws against them—by no means a universal condition. Monaco, for instance, has no laws covering computer crime.
The result for America’s banks is a sort of medieval world in which anything can happen, law is nonexistent, and everyone needs strongholds and armed escorts when traveling from one to the other. And because the world is filled with people who consider our role as the citadel of democratic capitalism, and the exemplar of modern scientific civilization, to be fundamental attacks on their way of life, a cyber attack on one bank could as easily be a first step in a plan to crash the international payments system as an attempted robbery.
And examples of cyberterrorism—or at least how vulnerable we are to them– do exist, although no official will admit to a cyberterror attack on a U.S. bank.
In 1994, for instance, according to 1996 Congressional testimony, two hackers named Datastream Cowboy and Kuji crashed the computer systems at Rome Air Force Base in Rome, New York for 18 days. Rome AFB works on very sensitive defense projects; according to the testimony, not only were sensitive files stolen, but successful attacks were launched from the Rome computers to NASA’s Goddard Space Flight Center, Wright-Patterson AFB, and defense contracts around the country.
Datastream Cowboy was eventually arrested in England and convicted there of telecommunications theft; Kuji is still at large; no one knows what happened to the stolen data.
The same testimony disclosed not only that the Defense Information Systems Agency’s internal testing results in successful penetration of Defense Department systems 65 percent of the time, but that it estimates that Defense systems are attacked about 250,000 a year. It doesn’t take much to see that if a Defense Department computer system can be penetrated, so can a bank’s.
This is no secret to Admiral J. Mike McConnell, a Booz, Allen, Hamilton partner who recently retired as director of the once super-secret National Security Agency.
“Banks talk about their systems as though it has no external connections,” he says. “What most people don’t appreciate today is that most banks today, when they are communicating, are traveling on the public switch network—the phone system structure. When people say they’re using the Internet, all they really mean is that they’re riding around on the public switch network. That induces a certain amount of vulnerability.
“Banks will tell you they have leased lines” between their branches, he says. “But they don’t really have a physical line—they have a restoral priority; it means they’ll get service, but they don’t know whether it’ll go through New Orleans or Chicago. So the point is, that opens you to potential vulnerabilities.
“Now you can encrypt that message, and it will be more difficult to interfere with anything; and a bank can have certain kinds of defenses—firewalls and whatnot—but once you understand and appreciate them, there are ways to attack them.
“Nothing is 100 percent guaranteed impenetrable,” he adds. “In my experience, when you are testing something to see if there is a vulnerability, you most always find a vulnerability.”
Added to that, says Admiral McConnell, is that “on the Internet, all the attack tools can be downloaded; there is a tremendous, richly robust hacker group that shares all these techniques” used for system penetrations, while readily-available Silicon Graphics workstations make very capable platforms for cyber attacks.
Also, cautions Admiral McConnell, “Today, with all our networking, the vulnerability does not end with the transmission [of data]. It’s gone from worrying about data in motion to also worrying about data at rest,” because much information is stored on hard drives. “That’s where the vulnerability is,” he says.
Luckily, bankers are a paranoid lot—safes and vaults were more or less invented for them—and banking systems are on the whole among the most secure around. This was well demonstrated during the recent “war game” simulations conducted in June-July by Admiral McConnell in his McLean, Va. offices for the President’s Commission for Critical Infrastructure Protection.
After two-and-a-half days of escalating problems that began as apparently unconnected events, and eventually manifested themselves as a full-scale cyber attack on the United States in which truck bombs were exploding at airports, the water supply was compromised, and attempts were made to penetrate FedWire and CHIPs, only the banking and nuclear power systems were left intact—every other critical infrastructure had been forced to request government help. Among those with poor marks: law enforcement and intelligence, which didn’t share information.
The PCCIP was created last year by President Clinton to address the fact that most of the computer networks in this country are interrelated and vulnerable to cyber attack both by terrorists who may or may not be state-sponsored, as well as by full-scale attacks mounted by sate-sponsored groups.
This vulnerability is only magnified, say PCCIP officials, by the fact that corporate outsourcing has created concentrations of services in a few hands, disruptions of which could create significant vulnerabilities within whole industries, including financial services. And modern business models built around the Internet only worsen those problems.
“You’re looking at an emerging business model in an emerging [global] economy that is very different from the old one, where you had manufacturing on the bottom floor and management on the top floor,” says Peter Daly, a PCCIP commissioner and U.S. Treasury official. “Now you’ve got a CEO in Baltimore, his manufacturing is in China, his software is written in India, his telemarketing is in Ireland—the Internet enables that, and that’s what we’re focusing on—the infrastructure is the carrier of commerce now, and there are important new kinds of risks there.”
It was stimuli like these, say officials at the General Accounting Office, that led it this year to begin testing the financial system for potential weaknesses. The testing is occurring now; first it will try to penetrate banks, and then it will try to penetrate FedWire. The effort is being conducted out of the GAO’s San Francisco office.
At the level at which the PCCIP is working, say officials, the worry is less about computer attacks on individual banks than it is about attacks on major computer centers that support the nation’s financial infrastructure—the problem being that at certain level, the two are virtually identical, and that a simple truck bomb, like those exploded at the World Trade Center or in Oklahoma City, could cause significant damage to, say, the New York Stock Exchange, or SWIFT , while taking down the telecommunications system with logic bombs would obviously affect the financial system along with the rest of the country.
But there are also the high-tech attacks to worry about. Some attacks, like exploding a microwave or flux generator bomb outside the Richmond Federal Reserve, potentially taking down FedWire by destroying its computer system, require substantial resources and are impractical; both sorts of bombs are very large and would have to be delivered by truck, and require the same sort of industrial base needed to build nuclear weapons. A flux generator bomb is capable of throwing an enormous magnetic field around a building.
But there are lower-tech attacks that even small banks need to worry about, since they could be used in smaller-scale extortion. A HERF, or high energy radio frequency, gun, for instance, is a smallish, futuristic device that sends an energy “spike” through a metal system, frying it.
These devices, which police forces are considering issuing to some of their personnel as a means of stopping escaping vehicles, are basically ray guns, right out of Buck Rogers. The technology, which is nowhere near as sophisticated as a flux generator bomb, could easily move from law enforcement to the criminal and terrorist population as it becomes more widespread. Tazers—readily available today—can also be used to attack and disrupt computer networks.
But these, at least, are not tough to defend against, according to a paper written by Carlo Kopp, an Australian computer scientist; since a HERF or Tazer attack made against a LAN is an electrical attack in which a power spike does the damage, he says, simply replacing the copper-based LAN with fiber-optic cable provides a practical defense. More advanced measures advocated by Kopp start with isolating the computer power system from the main power supply with an old-fashioned motor-generator power isolator, and go as far as building the sort of copper-mesh “Faraday Cage”, sometimes put around a clean computer room, around an entire building.
But there’s a price to paid for upping the security ante, says an official at the American Banker’s Associationwho requested anonymity.
“[A determined group] can always kidnap somebody’s family and make them do what they want, so I’m not sure how far you want to go” he says. “The thing you’ve got to remember is that these days, you’ve got guy carrying bombs with toggle switches instead of timers.” Toggle switches are manual triggering devices used by suicide bombers.
“Low probability events are things banks have to deal with when they’re catastrophic, and when they can be reasonably managed,” he continues. “The thing is, we’ve got tremendous measures in place already, and the only other things [we could do] is to do full-field investigations [of employees] so not only do we know who our guys are, but that the government knows who our guys are, so they’d be more willing to tell our guys what’s going on.”
That cooperation could become far-reaching. Because the implications of cyber attack are transnational, and the interpenetration of terrorism and plain criminality has become so complete, many are calling for international police efforts.
“We’re totally behind the eight-ball, and everybody’s stymied by this brick wall called national sovereignty, which the bad guys laugh about,” says Arnaud de Borchgrave, who was Newsweek’s chief foreign correspondent for 30 years, and who now heads the Center for Strategic and International Studies, based in Washington. “Any thinking person knows that the traditional prerogatives of national sovereignty have not only been overtaken by the information revolution, but that things like logic bombs and worms are the new arsenal in a new geopolitical calculus that enables the non-states, and even individuals, to take on a superpower; that’s the sort of world we’re living in, and our leaders don’t want to face up to it.”
“You need laws that enable you to operate beyond [national] borders,” he adds. “Right now, if the Pentagon is attacked, they don’t have the right to retaliate, even when they know the source of attack. We’re a long way from an international SWAT team or teams, which is what I’m thinking about.”
As things stand, meanwhile, most large banks have either contracted with companies like SAI, or maintain their own computer security teams, generally denying to the public that they face any real dangers and, it’s widely assumed, leaving their own computer security crises unreported. This is exactly the wrong way to handle it, says Senator John Kerry (D.-Mass.).
“It goes to their overall attitude to the whole thing,” he says. “You have to put this thing out there; people have to know and understand it. The longer they’re quiet and the longer these guys can operate without a sense of public outrage and concern, the harder it’s going to be to marshal the forces to change the situation.”
“They’ll need government help to fight these incursion from the ‘Net,” he says. “But acting on their own can’t be adequate. You can do certain things, but if you keep this thing covert, you’ll never summon the kind of clout you need to have a legitimate cure.
“That legitimate cure will involve some kind of understanding about how you’re dealing with encryption, with how you’re dealing with secrecy, of how privacy rights and access rights are going to exist, and of course law enforcement’s rights with respect to all this,” he continues. “It’ll have to be a cooperative effort, and will involve some public law.”
Ironically, it was our triumph in the Cold War that set the stage for our present problems. The United States won the Cold War. But Russia was not occupied.
This historic anomaly—the closest parallel is probably the collapse of the Ottoman Empire, which led to World War One—loosened control over both the former KGB, and its clients in the world of terror. The result is less actual terror—as defined as violent attacks on civilians by trained, politically-motivated people—but more trained people left to shift for themselves.
“The collapse of the Soviet Union has obviously let loose a tremendous amount of human capital and talent that has a lot of abilities that would normally be used for legitimate business purposes or purposes of the State, but now does not have an outlet,” says Francis Fukuyama, the noted author of THE END OF HISTORY. “A lot of that I think is going to come out in illegitimate activities, including things like cyberterrorism.”
And in any event, Russia today is only partly what American think of as a nation, says Ambassador L. Paul Bremer, a managing director at New York’s Kissinger & Associates.
“It’s a bit of a combination of both,” he says. “It is in a sense a country in that you’ve got 145 million people who mostly speak the same language, who have all grown up under a central rule from Moscow, who use a common currency, and who are more or less defended by a common army. But there is a lot of warlordism; you do have governors and other satraps out there who have a lot of authority. I don’t think the last chapter is written yet; it could go either way in Russia.” Bremer was Roving Ambassador for Counterterrorism in the second Reagan Administration.
Serious cyber attacks on banks are still not common: SAI estimates they see only about five serious attempts on banks in any year. But a 1994 study by the RAND Corporation points out that as a simple matter of statistics, the danger of attacks on institutions of all sorts, including financial institutions, is bound to grow in tandem with the spread of computer use and the growth of the Internet.
Detail: Statistics on computer incidents reported to CERT, a computer security information clearing house and research facility located at Pittsburgh’s Carnegie-Mellon University and financed by the Defense Advanced Research Projects Agency (DARPA), grew about ten-fold between 1990 and 1996 (see chart). An apparent leveling off of reported incidents since 1994, says a spokesman, is more probably due to a multiplying of places to report such incidents than a slackening in hacker activity. An incident, he adds, can affect one computer or, on a LAN, 1,000. CERT began life in 1988 as DARPA’s computer emergency response team.
And a 1997 study by San Francisco’s Computer Security Institute, conducted in association with the Federal Bureau of Investigation, says that the 249 organizations who replied to their survey reported losses totaling $100,119,555. System penetration, fraud, sabotage, theft of proprietary information and virus attacks accounted for $65,623,700. Financial services companies, including banks, accounted for 18.77 percent of the responses.
According to the CSI study , the average loss to financial fraud was $957,384, while losses to system penetration averaged $132,250. In comparison, overall losses from unauthorized Internet abuse by employees totaled only about $1 million.
REPORTED COMPUTER-RELATED INCIDENTS
Source: CERT , Carnegie-Mellon University
AVERAGE LOSSES BY TYPE
THEFT OF PROPRIETARY INFORMATION
SOURCE: COMPUTER SECURITY INSTITUTE/FBI 1997 COMPUTER CRIME AND SECURITY SURVEY
Originally printed in FutureBanker, September, 1997
SAN FRANCISCO — Over the last four years, foreign hackers have stolen source code and blueprints to the oil and water pipelines and power grid of the United States and have infiltrated the Department of Energy’s networks 150 times.
So what’s stopping them from shutting us down?
The phrase “cyber-Pearl Harbor” first appeared in the 1990s. For the last 20 years, policy makers have predicted catastrophic situations in which hackers blow up oil pipelines, contaminate the water supply, open the nation’s floodgates and send airplanes on collision courses by hacking air traffic control systems.
“They could, for example, derail passenger trains or, even more dangerous, derail trains loaded with lethal chemicals,” former Defense Secretary Leon E. Panetta warned in 2012. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
It is getting harder to write off such predictions as fearmongering. The number of attacks against industrial control systems more than doubled to 675,186 in January 2014 from 163,228 in January 2013, according to Dell Security — most of those in the United States, Britain and Finland.
And in many cases, outages at airports and financial exchanges — like a computer outage that took down computers at airports across the country late Wednesday, including Kennedy International Airport in New York and Logan Airport in Boston — are never tied to hacks.
But it’s clear hackers are trying. READ MORE