Who are the bad guys? Who's the enemy in this new cyber world?

In terms of criminal activity? Well, it ranges from petty theft, really, to state-sponsored terrorism. And you have everything in between. You have the cyberspace mugger who's going to steal your personal identity, and destroy your credit by committing fraud in your name, or stalk your children or your loved ones online. There are organized crime syndicates that are going to be engaged in stealing massive numbers of credit cards and selling them and using them for credit card fraud globally. There are governments and corporate entities, globally, that want to steal technology: cutting-edge technology, biotech, high-tech, and low-tech technology. They want to compress the arc of time for their economies to develop and catch up with the Big Eight economies. And somewhere out there there's a cyber Unabomber, who is concocting for his own bizarre motives some really unpleasant event that could impact the lives of thousands or millions.

And there are the cults. Aum Shinri Kyo is the cult that hacked aggressively into technology companies to steal technology that they were interested in. There are the Osama bin Ladens of the world. Some people mock that specter, but those folks have satellites, they use encryption, and they are on the Net, both to gather information and to disseminate information, to gather intelligence and conduct operations. And then, of course, there are governments. What will happen in the Straits of Taiwan between Taiwan and China, and all the hot spots in the world, is also taking place in cyberspace. They're looking at ways to attack each other's digital infrastructure

The problem is a lot more complex then just people with green hair and body piercing.

Some of the folks with green hair and body piercing are very bright kids who solve puzzles that people with computer engineering backgrounds can't solve. But the juvenile hackers and the young hackers get caught, and they end up in the headlines because they get caught. And the reason they get caught is that they're not professionals. They are out for the adventure. They are out for bragging rights. They are out for exploration. The professionals, the ex-KGB agents, or the ex-CIA agents, the person from German intelligence, or Israeli intelligence--they're not going to get caught. And when they are detected, the people who detect them are not going to want to acknowledge that they've been there. . . .

What happened with the Aum Shinri Kyo incident?

The important point that the story of the Aum cult brings home is the plausibility of the cyberterrorist threat. We may never see a cyber attack, but it would be irresponsible for those who are entrusted with national security to not consider the consequences. For example, if someone had said before it happened that a small New Age cult would launch a Sarin gas attack on the Tokyo subway system to spur some Armageddon that would somehow leave their cult leader in charge of the world, you would think it was implausible. But it happened.

And the Aum cult was not only was preparing for chemical warfare and other kinds of warfare. They were actively engaging in hacking into Japanese corporations and other entities around the world to gain technology they wanted--laser technology, for instance--because they wanted to build their own laser guns. And they, in fact, targeted and were recruiting software engineers and scientists and bright young people who had skills that they wanted. And they did drive up to the gates of Mitsubishi in the middle of the night, break in, get into the main computers, and hack into those computers to get trade secrets, proprietary information.

It's not difficult to surmise that they involved themselves in other hacking capers. But even this year, years after the Sarin gas attack . . . it turns out that a front organization that is controlled by the Aum cult was the contractor that developed software for 90 Japanese government agencies, including the Japanese police and elements of the Japanese Defense Department. And literally a day before this software was to be deployed, somebody put two and two together, and blew the whistle, and said, "Wait a minute. Look who developed this software." Now, was there anything funny in the code? We'll probably never know. But the danger of it is astounding, and the plausibility. You wouldn't believe it if I had told you, "A cult could be writing software that could be downloaded into the police department or the military wing of your government." People wouldn't believe it. But it almost happened, literally. It was within 24 hours of being deployed in Japan.

You've been monitoring crime, probably more specifically than anybody else that I've talked to. Was there a case that sort of blew your socks off?

In the mid-1990s, there was a rumor about something called BlackNet. And the rumor was that there were these crackers online who were stealing and selling information, and you could ask them for whatever you wanted. They could go get it, email it to you, and it was all done with encrypted accounts and anonymous remailers, and all very cloak-and-dagger on the Net. Some people said this was real, some people said it was an FBI sting. Some people said it was a hoax. BlackNet itself turned out to be a hoax, perpetrated by a bright young "cyperpunk," as they're called.

But while that urban legend was passing around the internet, there was a real "BlackNet" operation going on. It was eventually called "Phonemasters" by the federal investigators. This was a gang of crackers, across the country, Philadelphia, Santiago, Dallas, and in Canada, Switzerland, and as far away as Sicily. They were involved in stealing credit card information and reselling that information. They had a menu of activities they could perform. They had Madonna's home phone number, they could hack into the FBI's national crime database. They hacked into a telephone company to find out where the federal wiretaps were for the Drug Enforcement Administration, beeped the dealers that were being tapped and said, "Hey, you're being tapped by the DEA." And that blew drug investigations out of the water. These guys were serious. . . . It took years to get a conviction and a sentence in that case. . . . And you know, these guys were amateurs in the sense of criminal activity. So you can imagine what a serious criminal organization that takes that kind of hacking seriously could do. . . .

What have we learned so far from the big attacks that we've experienced to date?

The Citibank case, where some Russian hackers, notably "Vladimir Lenin" operating in St. Petersburg in Russia hacked into Citibank in New York. They succeeded in committing wire fraud, basically, to the extent of $10 million before they were caught, arrested, tried, convicted and everything else. There are a lot of lessons in that case. Nobody wants to talk about the Citibank case much, because the bankers don't want you to think about problems with online banking and the internet. The dotcom companies don't want you to think about the consequences of cybercrime. . . . This wasn't even an internet crime. This was just a dial-in system where you made transactions to and from your account over the phone. And these systems were compromised early on. I suggest that that kind of activity on the internet is even easier, not harder. And in fact, Citibank, in order to deal with those vulnerabilities after the fact, instituted "smart cards"--cards for the customer to swipe and identify themselves, similar to an ATM card. My suggestion is, if you're conducting online banking, and you are using a password and user ID, you are not using adequate authentication to the network. You are exposing yourself to vulnerability.

What did we learn from the Martin Luther King Day crash at AT&T?

Well, the Martin Luther King Day telephone crash, back in the early 1990s, affected the public switch network, the telephone system from coast to coast, for many hours. There was significant infrastructure collapse. . . . We hear a lot of talk about information warfare, and the preparation for information warfare, and the need to build up defenses against infrastructure attacks. And some of the doubters say, "Well, where is the evidence of infrastructure attacks?" And no one will talk about it, and maybe there hasn't been one. But the Martin Luther King Day crash in the early 1990s is an incident that I understand to be an infrastructure attack, although AT&T only acknowledges a software glitch. There was never any prosecution, any arrest or prosecution in the case. There is evidence that it was a single command issued by a hacker that brought down the public switch network that day. . . .

What is it going to take to make cyberspace a safer place?

I think it will have to do with tort law, civil liability and exposure. And of course, no one wants to talk about government regulation. But I always point out to people that when they come into their office in the morning and switch on their lights and they get electricity, and they pick up their phone and they get a dial tone, to some extent, like it or not, the availability and the constancy of those utilities has to do with government regulation. If we are going to look at the internet as a place to do business, as something as vital as the phone system, or the power grid, or the air traffic control system itself, then you have to start looking at what you will require from those who want to be the bulwarks of that . . . .



Author, Applied Cryptography and Secrets and Lies: Digital Security in a Networked World.

What are the dangers for the average computer user?

The danger for the average computer user is that someone will hack their system. Now, most average computer users don't have anything worth stealing. Right. It's the joke of protecting your house by poverty--there's nothing in your house worth stealing. Now, on the internet, there are other dangers, because your computer could be a launching pad for other attacks. So people might want to break into your computer to use your computer as a site to break into something further on. These are real dangers, and this happens all the time. A lot of the denial of service attacks from last February were based on these sorts of launching pads.

What are the economic dangers for the corporate world?

For a corporation, the dangers are very great, and we see it again and again. We see major web sites that are hacked, and they're brought down for six, eight, ten hours. This affects their bottom line if they have a revenue model. We see a company like CD Universe get hacked and have 300,000 credit card numbers stolen. This greatly affects their credibility, and I don't know if they've recovered yet from that.

We see companies that are losing proprietary information. The web site for the television show "Survivor" had the big ending of their series stolen off the web site. . . . So there are enormous risks out there if you're a business. On the plus side, all these risks are manageable. None of them are new. None of them are new for the internet. If you had a storefront, you were worried about graffiti. You worry about someone breaking into your store and stealing things. You worry about losing money, you worry about losing credibility. So the internet is just a new venue for these old risks. . . .

What the internet does have, because the internet has no definition of place, is that you're suddenly worried about all the criminals in the world. If you had a store in Toronto, you had to be secure against all the criminals for whom it's worth their time to drive to your store and break in. But if you're on the internet, everything is next to you. So you're sitting in Toronto, and you can have an attacker in Thailand who can very easily attack your internet store.

So because the internet is global and there's no definition of place, the number of criminals that you have to worry about goes up. On the other hand, the number of targets goes up. So if you're in Toronto, those Toronto criminals have no one else to rob except Toronto stores. But if you're on the internet, all those criminals have all those other stores to possibly rob. So, on the one hand there are a lot more possible attackers, but there are also a lot more possible targets.

If hackers can do all this stuff, what could organized crime do?

I think we have to take organized crime much more seriously than we do hackers. Organized crime goes where the money is, and the money is moving to the internet. And if you can go on the internet and steal people's credit card numbers, and steal identities, and steal phone numbers, and steal products and money and possibly sell faulty goods, organized crime will move to that. They're going to move to it as long as it's profitable. And organized crime is likely to be better funded, better skilled and better organized than lone criminals, than hackers are. . . . I think organized crime is a big worry, and I think it's going to get worse, as criminals realize that there's money to be made on the internet. . . .

Can the internet ever be totally secure?

. . . I believe the internet will never be secure. But that's okay. The real world is an insecure place. Anybody can kill anybody they wanted to. Yet we all live pretty much happy lives. . . . So the internet will be no more secure than walking through the streets. But the reason we have security in our daily lives is not because there's magic technology that renders guns inoperable, but because we have a legal system, we have societal rules, we have culture that makes our city safe, and our world safe. And I see the same thing happening on the internet.

As a society, are we up to speed on this? We have rules for guns, and rules for traffic. But are we up to speed on the internet?

I don't think we are. I think the internet is a much more anonymous place. One of the reasons there seems to be a lot of low-level crime in hacking is that it's very easy to be anonymous. There isn't low-level mugging in cities, because you're doing it. It's you. You're there, you can get caught, and you can get in trouble. The internet is much more anonymous; it's much more distant. You can do things without fear of reprise. That has to change. We have to spend more time detecting crime, responding to crime, and prosecuting crime on the internet, just like we prosecute crime on the streets to make our cities safe. . . . The real moral is that the internet is no different than the real world. We just have to take all the things that work in the real world and move them into the internet. You can't just buy that firewall and think you're safe. . . .



Manager of Information Security, Frank Russell Company

Sizing the threat is tough. There is a whole spectrum of different threats. The possibility of abuse of people's privacy is a large threat. The threat of internal abuse by employees on systems incidentally, just by mistake because the systems are poorly configured, continues to rise. . . . On deliberate attempts, I believe that the threat of people taking action against organizations in a technological manner is increasing every day.

It is all second-guessing. There is no real intelligence or strong data to support it. But instinctively, it is easy for me to foresee the technology threat, the threat of abuse of technology against a company or person becoming greater and greater every day. . . .

[What would a secure system look like?]

. . . This technology cannot be secured, and that's fact. I would debate that with any vendor, with any inventor of internet technologies, with any business that is deployed . . . . I would debate that with anybody. I believe it cannot be secured. It can only be risk-managed. All the technology that underlies this whole internet web phenomena is technology that was meant for communication. It was not meant to conduct business. It is open technology. Everything that you have to do to secure it is . . . afterthought stuff. And because it is afterthought stuff, because it is not part of the infrastructure itself, it creates a slew of problems and costs.

The fundamental problem is that vendors and people are involved in the myth of how good it is, and they don't want to diminish that story by recognizing the fact that it may not be as cost-effective or as sensible a use as they would like to think it is. People are having a hard time giving up what they believe this is, what the internet is going to be, what this technology can provide. . . .



Davis, a security consultant and ex-hacker from Ottawa, tracked down Curador, an 18 year old hacker from South Wales who in 2000 stole an estimated 26,000 credit card numbers from e-commerce web sites and posted them online.

How would you characterize the internet's vulnerability . . . to criminals or terrorists?

. . . There are ways that you could shut down the internet in two or three hours. I know people that have the ability to do it. Just thankfully, they don't want to do it. They're ethical people. . . . But people who are working for things like organized crime, or in terrorist groups, thankfully don't have that type of skill set at this point. I think it's possible that they would be able to find people with that skill set, and at that point, it would start to get really scary. . . .

What sort of vulnerabilities are there? What could be done?

The major vulnerabilities that we see right now are in the Microsoft products. Microsoft has a web server out that has 15 or 20 fairly large security problems with it. There have been three or four really major ones over the last couple of years. And this is what we see the young kids using right now, because there's a lot of programs out there that you could just download, run, and it'll re-write the web page for you. One gives you full access to the remote web server in about four seconds. There's another one that will completely shut down the web servers in a second. There are all kinds of tools out there that these kids can download and they don't have to understand how they work. They don't have to understand how to write it. The only thing you have to do is understand how to click a mouse. So that does cause a lot of issues and a lot of problems. . . .

Giovagnoni is the Executive Vice-President for Strategic Relations for iDEFENSE, a private agency specializing in information intelligence.

Is it really possible to devise protection for the infrastructure of the internet?

Well, yes. But I want to make a distinction here. I don't know that you can totally secure something within the internet. . . . The internet, when it was originally designed, was designed to be open. And now we are trying to protect it in the way that you can close all the doors, and by its very nature, it won't happen. Not in the foreseeable future. Maybe never. So what you have to be able to do, if you are concerned about protecting a particular system . . . is to put obstacles in the way of someone who wants to get access to it. . . .

But there's no way of being on the internet that's not risky?

No. You cannot build a wall around your computer and assume it will never be attacked, or that it will be protected totally, unless, of course, you're connected to nothing, and you lock it in a room, and never use it. . . .

If I am on the internet, what are the chances that I am vulnerable to some kind of an intrusion or loss?

Well, I would almost say that there's a 100 percent chance that you're vulnerable. The internet itself is vulnerable. You are vulnerable, no matter where you are on the internet. . . .

Is that just an inherent set of circumstances that we buy with the technology, or can we do something about that?

I don't know that it's inherent. I think we can do something about it . . . . Once we understand the internet, and once we understand the consequences of our act when we take a laptop home and we take a computer disk from work, and we load it at home, and maybe take it back . . . then we have a better way of dealing with it. . . . If you're asking me, "Can we evolve or can we develop this so that you have the ability to make it so that no one can break into anything?" I don't think that will ever happen. So you can't make it that secure. But you can make it secure, in the sense that, as people become aware of security practices and how the system works, you can protect the information that you want to protect by making conscious decisions.



Reid and Count Zero are members of Cult of the Dead Cow, a hacker organization which developed "Back Orifice," a computer program which allows the user to remotely view and control any computer running Windows 95 or later.

Do you see dangers in us being so wired and connected the way we are at the moment?

Count: I think about that a lot. . . . I think a lot of the fear that's happening is fundamentally because there are big misconceptions of what the internet is all about. The internet is not a nicely packaged lined up row of books in a library where everything's organized by the Dewey Decimal System and everything is published by a handful of publishers that control all of it. It's not something that's sanitized, categorized, shrink-wrapped and freshness-dated on a shelf.

The internet is a mirror of society. It truly is something that reflects all of the elements in the physical world--the types of people who use it, the types of things that are on it, what's being said, and what you'll see and read. . . . People who are criminals are going to be on there. There are going to be people on there where you just cannot understand where they're coming from, and that'll scare some people. . . .

Society is complex, and it's often very messy. And I think people just have to deal with that, roll up their sleeves, and jump in and just get involved and try to fix things that are broken, and accept the fact that other people are going to say that things you don't like a lot of times.

Reid: The internet itself was constructed with this idea that we were all going to be nice to each other. All of the standards and all of the protocols assume, basically, that no one is going to lie or cheat or steal. It was designed basically for the US government in planning a war, and then it was co-opted by scientists to coordinate research. And there was really no effort made early on to insulate that, or to protect against people who just are outside the trust model, people who just want to go in and see what they can do, and they just don't care. Unfortunately, it's hard to build on top of a system like that and not retain some of those strengths and weaknesses. Those protocols are very simple, they're fast, they're efficient. But they are wide open.

Nowadays, we are paying for the sins of our fathers in the same way that we had the Y2K bug, which we spent years gearing up for--and thank God we did, because it could have been awful. The general public is sick of hearing about Y2K, and they assumed it was a big joke, but it never was. That could have been very devastating. But those kinds of problems exist on the net in spades. If somebody wanted to take down the internet, they could do it; they could still do it. None of that has changed. . . .