Forbes September 20, 2004
The Next Threat From al Qaeda: Hacking to Wreak Havoc
By Robert Lenzner and Nathan Vardi
Four years ago al Qaeda operatives were taking flying lessons. Today they are trying to hone a new skill: hacking to wreak havoc. Security experts make a living saying we aren't ready for this danger--but they are indeed right.
Four years ago al Qaeda operatives were taking flying lessons. Today they are honing a new skill: hacking. How much damage could a cyberterrorist do to our electric grid or the Internet? We don't know yet.
Jason Laren is a master hacker. He sports the de rigueur black shirt, black slacks, glasses and ponytail. A 31-year-old programmer at the secretive Idaho National Engineering & Environmental Laboratory in Idaho Falls, he obsesses about the ways in which a terrorist intruder might go online and trip circuit breakers on the electrical grid or open valves at chemical storage tanks.
"I could easily turn off the power in a couple dozen cities by the end of the day," says Larsen. He has hacked into the automated control systems at several big utilities; usually it takes him all of a week.
Experts like Larson make a living by stoking cyberfear in the rest of us. They say that terrorists could shut down chunks of the Internet, the phone system or the electric grid by hacking into computers. We're not spending enough on computer security, they say, and the consequences could be devastating.
These experts have an ax to grind. But they might be right. As the Internet spread like a virus in the 1990s, hundreds of utilities, chemical factories, wastewater plants and the like went online to enable remote monitoring and more instant communications. Yet their antiquated control systems lack protection against digital intrusion, providing an easy target.
The most destructive terrorist act in history began with Islamic radicals going to flight school and ended when they turned airliners into flying bombs. As the third anniversary of Sept. 11 passes, the next threat could be a Net threat: Solid evidence shows that al Qaeda agents and other terrorists are trying to attain the online skills needed to wage cyberwar. Terrorists could use the Internet to disrupt the communications systems of the military's Pacific Command or turn off the lights in Los Angeles or Chicago; they could open the massive floodgates of Arizona's Roosevelt Dam or disable huge parts of the World Wide Web.
Yet in the U.S. no urgent crusade has emerged to fix the flaws. The National Strategy to Secure Cyberspace, signed last year by President Bush, proposes a sweeping overhaul of U.S. networks. In it the White House's former counterterrorism chief, Richard Clarke, urged a wholesale reboot of government computer systems and new security rules for electric utilities and Internet access providers. But few of his proposals have been adopted, Clarke says. "All the regulated industries--the electric utilities, the gas pipelines and oil refineries, the water and transportation systems--are still vulnerable to cyberattack."
Washington lacks any consensus on what to do about the Net threat--or whether it even constitutes a threat. "The idea that hackers are going to bring the nation to its knees is too far-fetched a scenario to be taken seriously," asserts James Lewis, a former State Department and Commerce Department official. He has dismissed cyberterror in reports for the nonpartisan Center for Strategic and International Studies.
Patching the holes could easily cost billions of dollars. Some 80% of the nation's infrastructure is owned by corporations, but government and business can't even agree on who should cover the cost. "We haven't developed a comprehensive strategy for addressing this weakness in our critical infrastructure," says Congressman Adam Putnam (R-Fla.), who sits on a subcommittee on tech issues. "America must not be so focused on preventing physical attacks that we leave our cyber-backdoor wide open and unattended. The tragedy of 9/11 has taught us that we must imagine the unimaginable."
The unimaginable is looking ever more plausible. The FBI says the cyberterrorism threat to the U.S. is "rapidly expanding." "Terrorist groups have shown a clear interest in developing basic hacking tools, and the FBI predicts that terrorist groups will either develop or hire hackers," Keith Lourdeau, an FBI deputy assistant director, told the U.S. Senate earlier this year. Material found in Afghanistan by U.S. forces in 2001 showed that al Qaeda was trying to develop cyberterrorists, says John Arquilla, a professor at the Naval Postgraduate School.
Computer systems that control the water supply and wastewater systems "have been the targets of probing by al Qaeda terrorists," says Rep. Putnam, who cites U.S. law enforcement and intelligence agencies. Unwanted intrusions have occurred in some 50 incidents over the past ten years to automated systems that control important physical equipment through the Net, says Joseph Weiss, a security consultant in San Jose, Calif. "Not enough people are taking this seriously," he laments.
Al Qaeda previously has used the Net to circulate propaganda and communicate with operatives. The terror alert in August, detailing al Qaeda plans to attack financial institutions in New York and New Jersey, came after the arrest in Pakistan of Muhammad Naeem Noor Khan, a computer engineer. Elsewhere, Abu Anas al-Liby, one of al Qaeda's ranking computer experts, trained agents in computer surveillance techniques, according to testimony in 2001 in the Nairobi embassy bombing trial.
For now most e-jihadists can barely even mess up an obscure Web site, but they are learning. Some two dozen online terrorist discussion groups and Arabic-language hacking forums are now tracked online, up from only four a year ago, says IDefense, a Reston, Va. firm. IDefense spotted jihadist hackers unsuccessfully trying to take down the Bank of Israel's Web site.
Hacking tools and talent are readily available online. "If al Qaeda can't do it, they can go buy it," says John Watters, IDefense's chief. Last year at a hacking conference in Birmingham, U.K., a techie presented a detailed paper on cracking into water systems. The National Security Agency says foreign governments already have developed such computer attack capabilities. U.S. officials believe Iran, North Korea, Russia and China have trained hackers in Internet warfare.
U.S. military computer networks have proved easy to penetrate. In 1998 hackers started using stealthlike attacks that, over several years, cracked open Pentagon computers and downloaded thousands of sensitive technical files. A federal investigation, dubbed Moonlight Maze, traced the intrusions back to dial-up Internet connections near Moscow. The hackers have never been caught.
Online, America's aching Achilles' heel is the wide-open automated control systems that run the nation's networks for electricity, water, gas, oil and more. The control systems were designed years ago when each utility was an island, without any thought given to bulletproofing against online intrusion once everything was linked together.
"There is potential vulnerability throughout industry where control systems are connected to the Internet," says Clarke, the former White House head of counterterrorism. Yet the feds often aren't even told when an online event has affected some control system; no mechanism has been developed to report such incidents.
Clarke is, admittedly, a grandstander who wrote a tell-all book and made headlines questioning the Bush Administration's urgency in responding to the terrorism threat. But even the staid GAO has weighed in similarly, underscoring the danger to "our nation's critical infrastructure." "Control systems can be vulnerable to a variety of types of cyberattacks that could have devastating consequences--such as endangering public health and safety," warns a report issued in March by the GAO (which now stands for Government Accountability, rather than General Accounting, Office).
Utilities are particularly defenseless. A total 270 utilities that generate 80% of the nation's electricity use control systems that are ripe for hacking, according to research by Ted G. Lewis for the Navy Postgraduate School. "We have visited 15 utility companies and been able to penetrate all of them," says Brian Ahern, chief executive of Verano, a provider of cyberdefense systems for utilities.
Microsoft's software is both ubiquitous and vulnerable. In January 2003 the Microsoft SQL Server worm, known as Slammer, infected a private computer network at David-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly five hours, says the Nuclear Regulatory Commission. The dormant plant's process computer failed, and it took six hours to get it up and running again. At another utility, in an undisclosed city, Slammer downed the computer network controlling vital equipment. Other times the attacks are more personal: In 2000 a discontented consultant, rejected for a job at a water treatment plant in Australia, remotely hacked into a sewage treatment system and released 264,000 gallons of raw sewage into rivers and parks.
Many of these systems are known as Scada, for Supervisory Control & Data Acquisition, and are made up of computers, networks and sensors that control industrial activity over large geographic areas. Another kind of system, known as DCS, or Distributed Control Systems, is often used in isolated areas such as a chemical plant.
Most control systems lack any encryption, and they have proved simple to manipulate once a hacker gets inside. In a recent test Steven Schaeffer, a software engineer at the Idaho National Engineering & Environmental Laboratory with no Scada experience, easily figured out how to outsmart a General Electric Scada system running a mock utility. It took Schaeffer only five months to analyze the setup and write code that would let him, from his laptop, tell the Scada system to open and close enough breakers to bring down the mock utility--without letting the legitimate operator see what was going on.
"What if this was a chemical plant? You want to start a Bhopal incident?" Schaeffer asks, referring to the accidental chemical leak at a Union Carbide plant in India that killed 3,800 people in 1984. "It's fairly trivial to do this. Anyone with some software experience can."
The Internet has brought these plants online and made them more vulnerable, and the foundation of the Net itself is susceptible to attack, too. "Someday someone will find a packet of death to bring down the Internet," warns Ken J. Silva, former National Security Agency official now at VeriSign, the main operator of the Internet-address database that directs billions of digital packets around the world every day.
Some weaknesses, already well-known to hackers, foreign governments and, most likely, jihadists, have been exposed in two areas: the Domain Name System that VeriSign oversees and the Border Gateway Protocol, which governs how Internet service providers and large networks exchange routing information. The millions of computers and Web sites linked to the Net are identified by distinct serial numbers; the DNS converts these tags into identifiable Web addresses. The DNSrides on top-level servers around the world, which in turn are guided by the true pillars of the Internet: 13 root servers, most of them run by volunteers. Often these big servers are poorly secured. In 2002 they were flooded with traffic from tens of thousands of infected computers in an unsolved "distributed denial of service" attack. It lasted for about an hour and took down 9 root servers; had all 13 gone down, the entire Internet might have crashed for hours or days.
Richard Clarke believes a debilitating attack on the Internet could be mounted by manipulating routing information via the Border Gateway Protocol, corrupting it to "send everything down a black hole." In April router vendors like Cisco and Internet service providers like AT&T and AOL had to quickly fix two security holes exposed in BGP protocols. The feds worried a hacker could exploit the new gaps and affect "a large segment of the Internet community."
More often, however, the response of government and business is sluggish or nonexistent. A year ago a new cybersecurity standard for electric utilities was set by an industry advisory group, the North American Electric Reliability Council, which was formed in 1968 after the blackout in New York City. Earlier this year the utilities filed reports revealing their level of compliance--but the council won't release the results.
"My guess is the results of those self-audits were real poor," says John O'Shea, who recently quit as chief of ABB's $200-million- a-year business selling control systems to electric companies. "After the big blackout [in 2003] there was so much energy to secure the grid, but we have lost that drive."
Government officials could press industry for more urgent measures, but they, too, are behind on the issue. The Department of Homeland Security has appointed a cyberczar to focus on the online world: Amit Yoran, the founder of information security firm Riptech. But Yoran himself admits that mobilizing a response from industry and government "has been a more challenging process than I ever anticipated."
"There is more infighting and yapping than action," complains Congressman William (Mac) Thornberry [R-Tex.], chairman of a House subcommittee on cybersecurity. "I'm disappointed it took so long for the Homeland Security people to be in place."
Even if the powers that be could agree on a response, it would raise the stickier question of who should pay for it. Homeland Security Undersecretary Frank Libutti, in a speech to corporate tech executives in June, declared: "The private sector must belly up."
And indeed it must; securing corporate networks is a corporate responsibility. But many of the companies behind America's infrastructure are tightly regulated and can't easily pass on new costs to customers. Others are in bad financial shape or must compete in unforgiving markets where price hikes are all but undoable.
"Companies have to justify the decision to spend money on security," says Rep. Thornberry. He favors using tax breaks to coax corporate spending rather than imposing new rules that require it. "We need a system of incentives for liability protection and tax incentives to energize industry," he says, "but no legislation has been proposed."
As the government hesitates, industry dithers. Utilities say their vendors are late in providing better security; the vendors say the utilities are unwilling to pay for it. "We have a catch-22," says Joseph Weiss, the security consultant in San Jose. "Vendors are reticent to spend millions to develop secure control systems, because the market won't buy it."
Fixing this mess would be incredibly difficult. Thousands of old and already-installed systems are in place but can't be updated in one fell swoop. Because of the way they are designed, a simple software patch for one could disrupt others. New gear is better protected but not widely available. "We have lobbied hard with our suppliers to put more reliable systems in place," says David Kepler, Dow Chemical's chief information officer. "The vendors are not providing them as fast as we would like."
But the giant companies that make control systems--General Electric, Siemens, ABB and others--say that even when they offer new wares with digital armor, customers balk. "No matter what you do, the customer always wants everything for free," says Paul Skare, the manager of Scada development at Siemens. Adds O'Shea: "There are lots of people who would love to jump on the solutions we are offering, but what I am hearing is, ‘How am I going to pay for it?'"
Yes, it costs a lot of money to armor-plate software, as Microsoft discovers with each new version of Windows. ABB enlisted the professional hackers in Idaho to find holes in an early version of a new $1.2 million Scada system. Sure enough, it was riddled with weaknesses.
Invensys, which sells $1.4 billion a year of control systems and related services to chemical and oil conglomerates, has dispatched 30 specialists to visit clients and help them assess and tighten their control systems. At first Invensys covered the cost, but now it's charging for the service.
In the end, though, someone has to pay to stave off the bad guys; the question is whether American business will take the lead or wait for government--maybe--to force it to act. After the Sept. 11 attacks exposed gaping holes in airline security, the feds took control of the nation's 55,000 airport screeners. The new Department of Homeland Security formed the Transportation Security Administration, which awarded $8.5 billion in contracts and is requesting another $5.3 billion next year. Homeland's cybersecurity division, by contrast, will have a budget next year of less than $80 million.
If another unimaginable attack on America occurs, this time a devastating raid on our networks, what will Congress do? It will commission a panel to look into why we failed to anticipate the threat.