Attacks Highlight Flaws In U.S. Cyberdefenses
Wednesday, July 8, 2009
Photo by Chip Somodevilla / Getty Images
U.S. The coordinated attacks that swamped Web sites in the U.S. and South Korea in the past several days may be a harbinger of things to come, cybersecurity experts say.
Starting Sunday, sites ranging from The Washington Post to the U.S. State Department have gone offline for periods of time since a string of computers controlled by hackers started inundating Web sites with electronic messages.
Users were unable to access some government and commercial Web pages for days. Other sites that were targeted, such as the White House's home page, withstood the attack. Most Web sites have now largely recovered.
Department of Homeland Security spokeswoman Amy Kudwa downplayed the significance of the incident, saying, "We see attacks on federal networks every single day, and measures in place have minimized the impact to federal Web sites."
White House spokesman Nick Shapiro added, "These constant attacks only underscore the importance of cybersecurity. This is a major priority for the president."
James Lewis of the Center for Strategic and International Studies describes the strike as a test of which agencies were prepared and which weren't. The results, he says, were decidedly mixed.
"We can't expect to have this uneven, catch-as-catch-can defense and not suffer something more consequential if a more sophisticated opponent were to attack us," Lewis says.
Experts say this was not a major strike. Attacks apparently came from thousands, rather than millions, of hijacked computers. This type of operation is known as a "distributed denial of service" attack, in which sites are flooded with information, thereby preventing legitimate users from accessing a Web page.
The most significant impact was in South Korea. Lawmakers there have said the attack came from North Korea. American officials say it's too early to know that for sure.
"North Korea is maybe not the least savvy about the Internet of all the countries of the world, but it's got to be in the bottom 10 percent," says former Homeland Security official Stewart Baker. "If even they can launch an attack that has an impact, then we all ought to be worried about what more sophisticated countries can do."
Before Baker was head of policy at Homeland Security, he was the National Security Agency's top lawyer. He says waging cyberattacks has become much easier in the past decade. Organized criminal operations run massive networks of zombie computers, and anyone can pay to use them.
Cybersecurity expert Aaron Phillip of Navigant Consulting describes "software packages you can buy off the shelf that will do this type of work."
"You take the software package, customize it for exactly what you want to go after, and deploy it," Phillip says. "You can rent time on these exploited networks."
Says Lewis of the Center for Strategic and International Studies: "It's like warfare in the Middle Ages. You can go out and hire mercenary bands."
But it is unlike traditional warfare in one important way.
"It's extremely difficult to tell where these attacks come from," says professor Eugene Spafford of Purdue University. "These kinds of distributed attacks can make use of compromised machines around the world that are controlled indirectly by one person sitting at a desk who knows where."
The anonymity of these attacks makes it hard for a government to respond.
The incidents of the past few days are hardly significant enough to be considered an act of war.
But former Homeland Security official Baker says things could get much worse.
"While I was at the department," Baker recalls, "we discovered a flaw in the software of generators that are used for large power plants that actually could cause the generator to tear itself to pieces."
This is the real concern that Lewis and others share. He describes the current incident as "a crowd in the street banging on the front door. What we need to worry about is someone on the inside who engages in sabotage," says Lewis.
And experts such as Baker believe American defenses are not as good as they need to be.
"I think if you talk to private industry or officials responsible for protecting our networks, they would all say they feel less secure now than they did five years ago," Baker says.
As for the likelihood of a catastrophic cyberattack, Baker says the financial meltdown and Hurricane Katrina taught him this lesson: If something seems bound to happen sooner or later, eventually it will actually happen.
To view PDF documents, Download Acrobat Reader.