In the latest "Die Hard" movie, "Live Free or Die Hard," Bruce Willis reprises his role as Detective John McClane. This time, he fights against a shadowy criminal group that's using Internet attacks to devastate America's infrastructure. McClane must stop the gang and rescue his kidnapped daughter in the process. That plot description got us wondering: Is it really possible for a group of hackers to cause economic or physical devastation in the United States?
Cyber security is becoming an important issue. Many media organizations and government officials rank it just as grave a threat as terrorist attacks, nuclear proliferation and global warming. With so many commercial, government and private systems connected to the Internet, the concern seems warranted.
To add to the concern, consider that today's hackers are more organized and powerful than ever. Many work in groups, and networks of black-market sites exist where hackers exchange stolen information and illicit programs. Credit-card data is sold in bulk by "carders" and phishing scams are a growing concern. Malware -- viruses, Trojan horse programs and worms -- generates more money than the entire computer security industry, according to some experts. Hackers are also distributed all over the world, many in countries like Romania that have lots of Internet connectivity and loose enforcement of laws.
Recently, the British government released evidence that foreign intelligence agencies, possibly in China, Korea and some former Soviet states, were hacking computers in the United Kingdom. "Economic espionage" was believed to be one reason behind the attacks [Source: Computer Weekly]. Economic espionage involves attempting to undermine the economic activity of other countries, sometimes by passing on stolen industry and trade secrets to friendly or state-owned companies. Key employees, those who have access to sensitive information or government secrets, can be targeted through virus-laden e-mails, infected CD-ROMS or memory sticks, or by hacking their computers.
To respond to these threats, the European Union, G8 and many other organizations have set up cybercrime task forces. In the United States, some local law enforcement organizations have electronic crime units and the FBI shares information with these units through its InfraGard program.
Great Britain thinks it's facing a threat, but should the United States be concerned? Recent events in Estonia may actually shed some light on the situation.
Cyber Attacks in Estonia
On April 27, 2007, the Estonian government moved a controversial Soviet-era World War II memorial from a square in the capital city of Tallin to a more secluded location. Protests erupted in Estonia and Russia, where Estonia's Moscow embassy was blockaded. The Russian government protested vociferously and issued threats. (Estonia was occupied by the Soviet Union for much of the Cold War, and a large Russian minority lives there.)
Weeks of cyber attacks followed, targeting government and private Web sites. Some attacks took the form of distributed denial of service (DDoS) attacks. Hackers used hundreds or thousands of "zombie" computers and pelted Estonian Web sites with thousands of requests a second, boosting traffic far beyond normal levels.
The Estonian government compared the cyber attacks to a terrorist attack. At first, many people thought the attacks were being committed by the Russian government, causing some pundits to label the events the first "cyber war." It's now believed that the Russian government didn't directly participate in the attacks, although they did contribute a lot of angry rhetoric. Instead, incensed Russians were likely behind most of the attacks.
The Estonian cyber attacks weren't larger than other DDoS attacks, but they were able to shut down some sites for a time. The government didn't lose any infrastructure, but the events proved extremely time consuming, expensive to combat and indicative of weaknesses in Estonia's cyber security.
The Estonia cyber attacks were not the first of their kind. Previously other political grievances have spilled over into hacker feuds. Indian and Pakistani hackers have in the past launched barrages of viruses and DDoS attacks as part of the long-standing tensions between those countries. Israeli and Palestinian hackers have launched tit-for-tat attacks, defacing each others' Web sites. But the weeks of cyber attacks suffered by Estonia appear unique because they, for a time, consumed the affairs of an entire government and drew the attention of the world.
Estonia, a country considered to be especially "wired," weathered its cyber attacks with some economic and governmental disruption, but without significant or long-term damage. How would the United States fare in such a situation? Read on to find out.
U.S. Cyber Security
On April 19, 2007, the Congressional Subcommittee on Emerging Threats, Cybersecurity, Science and Technology, part of the Homeland Security Subcommittee, learned that systems at the Departments of Commerce and State were hacked in 2006. The Chief Information Office at the Department of Homeland Security, Scott Charbo, may lose his job as a result of "844 security-related incidents" that occurred at the DHS in 2005 and 2006 [Source: News.com]. Those incidents include classified e-mails sent over unsecured networks, personal computers used on government networks, installation of unapproved software, leaks of classified data and problems with viruses and unsecured firewalls. The DHS also received a "D" grade on its annual computer security report card, though that was up from the failing grades it received from 2003 through 2006. (The entire federal government scored a C-minus, up from a D-plus the year before.)
Because of these and other failures, the government is responding. The DHS now has an Assistant Secretary for Cyber Security and Telecommunications, Greg Garcia. In early February 2006, the U.S. government, along with 115 partners in five countries, conducted a set of cyber war games known as Cyber Storm. This large-scale simulation included major corporations, government agencies and security organizations. Cyber Storm served as a test of what would happen in the event of cyber attacks against important government, business and private Web sites. The faux attacks caused blackouts in 10 states, infected commercial software with viruses and caused important online banking networks to fail. The exercise dealt with defending against and responding to the attacks as well as managing misinformation that might be spread by the attackers themselves. Cyber Storm II is scheduled to occur sometime in 2008. Meanwhile, at Barksdale Air Force Base in Louisiana, 25,000 members of the military work on electronic warfare, network security and defending the country's Internet infrastructure.
In the event the U.S. is ever faced with a massive cyber attack, intelligence agencies, the Department of Defense, the military and the unit at Barksdale Air Force Base would likely be among the so-called "first responders." The US-CERT, the United States Computer Emergency Readiness team, would also play a major role. US-CERT was established in 2003 and is charged with protecting Internet infrastructure and defending against cyber attacks.
Next, we'll look at the possibility of a cyber attack in the United States.
Cyber Attacks in the United States
Clearly, the United States faces a lot of security holes in its Internet infrastructure, despite the government's efforts to shore up security. But do these security lapses translate into "Die Hard"-style mayhem and destruction? Not quite. No one died in the cyber attacks on Estonia, nor is there a record of anyone ever having been killed because of a cyber attack or a computer being hacked. Some terrorist groups have expressed a desire to launch Internet-based attacks, but the main concerns actually revolve around criminal gangs that extort companies for money and angry hackers trying to make a statement (as with Estonia).
Improving security, redundancy systems, monitoring software and human oversight make it virtually impossible for cyber attacks to inflict large-scale physical casualties, or even any at all. Military systems in particular are considered quite secure, so ICBMs aren't going to be launched by an 11-year old in Beijing. Nuclear weapons, as with many other critical or classified systems, aren't even connected to the Internet [Source: Washington Monthly].
Estonia showed us that the possibility of economic damage is real, especially if hackers could shut off power supplies or infiltrate a major bank or the stock market. But in many cases, it's much easier for a hacker to gain entry into a system or network than to do any actual damage while inside. Also, the presence of well-trained human staff and proprietary systems at utilities and other vital systems means that any problems can be quickly dealt with. In the meantime, the main dangers to cyber security remain in the form of worms, viruses, Trojan horse programs and the exploitation of security flaws, all of which continue to cause billions of dollars in losses to private industry every year.
For more information about Internet security and other related topics, please check out the links on the next page.
Related HowStuffWorks Articles
More Great Links
- Broache, Anne. "Homeland Security finally transcends F cybersecurity grade." CNet News. Apr. 12, 2007. http://news.com.com/Homeland+Security+finally+transcends+F+cybersecurity+grade/2100-7348_3-6175666.html
- Broache, Anne. "Homeland Security IT chief blamed for cyberwoes." CNet News. June 20, 2007. http://news.com.com/Homeland+Security+IT+chief+blamed+for+cyberwoes/2100-7348_3-6192255.html?tag=cd.top
- Committee on Homeland Security. "Letter to Scott Charbo." Apr. 30, 2007.http://homeland.house.gov/SiteDocuments/Charbo.pdf
- Evers, Joris. "U.S. cybersecurity czar has his marching orders." CNet News. Feb. 20, 2007. http://news.com.com/U.S.+cybersecurity+czar+has+his+marching+orders/2008-7348_3-6160438.html?tag=st.bp.story
- Green, Joshua. "The Myth of Cyberterrorism." Washington Monthly. November 2002. http://www.washingtonmonthly.com/features/2001/0211.green.html
- Greenemeier, Larry and Hoover, J. Nicholas. "How Does The Hacker Economy Work?" Information Week. Feb. 10, 2007.http://www.informationweek.com/showArticle.jhtml?articleID=197004939
- Goodwin, Bill. "Act on foreign spy risk, firms urged." ComputerWeekly.com. Dec. 1, 2006. http://www.computerweekly.com/Articles/2006/12/01/220307/act-on-foreign-spy-risk-firms-urged.htm
- Kamath, John-Paul. "Hackers could dent economy, US warned." Apr. 24, 2007.http://www.computerweekly.com/Articles/2007/04/24/223399/hackers-could-dent-economy-us-warned.htm
- Regan, Tom. "'Cyberstorm' tests computer defenses." The Christian Science Monitor. Feb. 13, 2006. http://www.csmonitor.com/2006/0213/dailyUpdate.html
- Vamosi, Robert. "Cyberattack in Estonia--what it really means." CNET News. May 29, 2007. http://news.com.com/Cyberattack+in+Estonia-what+it+really+means/2008-7349_3-6186751.html
- "China trying to unseat U.S. as lead cyberpower." Reuters. CNet News. June 13, 2007. http://news.com.com/China+trying+to+unseat+U.S.+as+lead+cyberpower/2100-7349_3-6190819.html?tag=cd.top
- "Cyber-War Web Defacements." Hackers' Attacks. May 20, 2007.http://calima.serapis.net/blogs/index.php?/archives/11-Cyber-War-Web-Defacements.html
- "Live Free or Die Hard." Imdb.com. http://www.imdb.com/title/tt0337978/
- "NATO says addressing cyberattacks urgent." Reuters. CNet News. June 14, 2007. http://news.com.com/NATO+says+addressing+cyberattacks+urgent/2100-7348_3-6191011.html?tag=cd.top
- "Welcome to US-CERT." United States Computer Emergency Readiness Team. http://www.us-cert.gov/