Cyberspace, like the old West, is a lawless domain of limitless possibilities–for good but also for evil. As in a frontier town, everyone with links to the Internet is going to have to see to their own protection, at least until law and order catch up. A Russian hacker in St. Petersburg breaks into a Citibank computer system in New York and steals more than $10 million by electronically transferring the money to other banks around the world. Improbable? Not at all–the only remarkable aspect of the affair is that the hacker was caught and the case became public when Citibank requested his extradition.[1] Banks try to keep such thefts under wraps because of the bad publicity, but security experts estimate that about 36 instances of computer intruders stealing sums of more than $1 million occur each year in Europe and the United States.
And that is just the tip of an iceberg of real and potential, civil and military, deliberate and accidental threats to the global web of interlinked computers and communications systems. In the headlong rush to "connect," little attention is being paid to gaping holes in the security of these information networks, according to RAND researchers Richard O. Hundley and Robert H. Anderson. "This is everybody's problem, and therefore nobody's problem; it falls through all the cracks," they write in Security in Cyberspace: An Emerging Challenge for Society.
The authors provide a tour of the cyberspace frontier and of the "bad guys" and dangers lurking there. They also sketch a plan to bring a modicum of order and security to this chaotic, rapidly expanding, and essentially lawless territory.
From Printed Page to Cyberspace
More and more informational activities are going digital and electronic, they point out, with these versions often supplanting all paper records. This is true of educational activities, the holdings of libraries, the process and results of research, engineering designs and industrial processes, the various mass information and entertainment media (newspapers, television, movies, etc.), and all manner of private and public records.
Also moving from the printed page into cyberspace are transactional activities, involving myriad commercial business and financial transactions, the operations of governments at all levels, political activities, and both public and private social interactions.
"White hat" in cyberspace. In Croatia, Dutch relief
worker Wam Kat uses the Internet to communicate
with other aid groups in the former Yugoslavia.
But not everyone skilled in traveling the Web is
benign. The number of rogues operating in
cyberspace has risen alarmingly in recent years.
Activities involving the operation and control of essential physical and functional infrastructures–power grids, air traffic control systems, telecommunications and the like–are increasingly shifting from mechanical/electrical control to electronic/software control.
And the connectivity between information systems that is at the heart of cyberspace is spreading worldwide and becoming more and more universal, with millions of new entry points every year.
These loosely protected information networks can be attacked in a variety of ways, for a variety of purposes, the authors note: to insert false data, to steal, change or destroy data and programs, and to disrupt, manipulate or control a system's performance. Many of these types of attack have already occurred. Two notable examples are the "Internet Worm," which disrupted activities on the Internet in 1988, and the "Hannover Hacker," who stole information from computer files all over the world during 1986-1988 and sold it to the KGB.
All of these hostile actions can be done surreptitiously and many can be done remotely, at a great distance from the target, via a series of interlinked computers.
Malevolent acts are not the only worry; information systems operating in cyberspace can also be brought down unintentionally. Instances of this range from a farmer accidentally cutting a fiber-optic cable while burying a dead cow (which closed four major air-traffic control centers for over five hours in May 1991) to the software error that caused a major breakdown in AT&T long distance service in 1992.
Who Are the Potential Villains?
The explosive expansion of cyberspace activities gives rise to a new set of vulnerabilities–for governments, the military, businesses, individuals and society as a whole–that can be exploited by a wide spectrum of "bad guys" for a variety of motives, Hundley and Anderson contend. These include hackers, disgruntled employees, criminals, terrorists, commercial organizations, and nations. The case of hacker Kevin Mitnick provides some insight into the first type. He led authorities on a high-speed chase through cyberspace after lifting 20,000 credit card numbers from various computer systems. Mitnick did not try to cash in on the ill-gotten bonanza, apparently more interested in thrills than profits, and was caught only after deliberately provoking the attention of a top computer security expert. Mitnick hacked into the files of Tsutomu Shimomura, who then tracked him down for authorities.
The resources required to cause harm in this cyberspace world are relatively small: one (or at most a few) computer experts with computer terminals hooked into the worldwide network can do considerable damage. The resources required for a nation or group to do significant damage to the military, economy, or society of another nation are larger, but far fewer than those required to acquire and use major weapon systems. The preparations can also be well hidden, if done carefully. As more and more people become "computer smart" and as villains of many different stripes become more and more aware of the opportunities for mayhem in cyberspace, the resources for major attacks could be within the reach of many nations and some malevolent groups.
To further complicate matters, cyberspace attacks mounted by these different actors are indistinguishable from each other, as are attacks mounted by domestic and foreign-based perpetrators, insofar as the perceptions of the victims are concerned. The distinction between "crime" and "warfare," "accident" and "attack," becomes blurred as does the distinction between police and military responsibilities.
In the authors' view, the danger of more (and more serious) threats in cyberspace is multiplying alarmingly. Statistics support their concern. The number of reported (many incidents go unreported) Internet penetrations rose from six in 1988 to 1,172 in the first six months of 1994. So far, at least, no major disasters have occurred, but the potential certainly exists. For example, it might be possible in the future for some perpetrators (nations or major terrorist groups) to inflict substantial damage by bringing down key parts of the nation's air traffic control system, or the electric power grid, or the international monetary transfer system, even if for a limited time.
Nor is a military disaster out of the question. If an enemy cyberspace attack disrupted a vital military logistics system, or the telecommunications network on which it depends, for a critical period during a campaign, the campaign could be jeopardized.
Links to global electronic networks have spread with amazing rapidity. A few years ago only North America, Western Europe, and parts of East Asia, Australia and New Zealand were connected. Today, the only countries without full links to the Internet are in Africa, the Middle East, and Southwest and Central Asia, and even these will probably establish connections soon.
But taming this wild frontier won't be easy. In addition to the chaotic growth of cyberspace and the blurring of lines of local, national and international authority over activities conducted there, the authors identify another problem. Many individual users neither understand nor accept the need for communal responsibility in safeguarding cyberspace.
In suggesting the elements of a strategy for cyberspace security, Hundley and Anderson draw on a familiar metaphor. Like frontier towns, let each local enclave (business, university, research organization, government agency) see to its own protection, at least for the present, relying on available computer security software and firewalls (security strategies that control electronic access by outsiders but allow insiders, who presumably are trustworthy, to travel the information highways and byways with comparative freedom). But these are little more than stopgap measures, the authors conclude. Barring a technological breakthrough that is not now on the horizon, effective control of cyberspace will require a combination of laws, regulations, the education and training of users, and the cooperation of countries worldwide.
[1] Citibank recovered all but $400,000 of the stolen money.