Tuesday, Feb. 18, 2003

Look Out! Inside that PC! It's the Killer Worm!

By JENNIFER L. SCHENKER/Davos

On Jan. 24 Erkki Liikanen, European Commissioner for enterprise and information society, was discussing the finer points of fighting cybercrime during a panel at the World Economic Forum in Davos. Less than 24 hours later he announced the latest cyberattack. Industry heavies such as Richard Li, chairman of Pacific Century CyberWorks, one of Asia's leading communication and broadband companies, listened in stunned silence as Liikanen stood up at a Davos luncheon and read out the news flashing across the screen of his Nokia Communicator: a fast-spreading Internet "worm" called Slammer had begun to sow chaos. The attack, which began about 5:30 a.m. GMT on Jan. 25, slowed Internet traffic in South Korea and Japan, hindered credit-card networks and automatic teller machines in the U.S. and disrupted telephone traffic in Finland, corrupting some 700,000 web servers by the week's end. By the time the fallout from Slammer was contained some five days later, it had cost the world economy an estimated $1 billion in lost productivity and business opportunity. The latest cyberassault, which experts describe as more aggressive than the Code Red worm that struck the Internet during the summer of 2001, underscores how vulnerable governments and corporations are to the twin threats of cybercrime and cyberterror. Mi2g, a London-based computer security firm, estimates that attacks by worms, viruses and hackers caused between $44 billion and $55 billion in economic damage in 2002 alone. Mi2g is predicting that economic damage from all types of digital attacks in 2003 could total as much as $100 billion. "People don't realize that we are already at war," said Andr[a {e}] Kudelski, CEO of Switzerland's Kudelski Group, a panelist at the World Economic Forum's session on cyberterrorism. His company designs "conditional-access systems," the software and smart cards that allow analog and digital TV operators to charge for access to content and prevent signal theft. Hackers don't just try to break the digital codes for his products; they try to break in to the company's computer network every day of the week, he said, 10 times a day. Between Jan. 1 and Jan. 30, mi2g counted 19,477 successful cyber break-ins globally, up from the previous monthly record of 16,000 last October. And the prevailing wisdom at Davos was that the worst is yet to come. Government officials and corporations have been worried for several years about the estimated 10,000 people around the world savvy enough to hack into networks. This shadowy group includes disgruntled employees, computer enthusiasts such as kids who hack for kicks, extremists and terrorists out to create mayhem, and criminal syndicates and fraudsters who use the Internet to steal money, corporate secrets and identities. But today there are 10 times as many potential vandals, because the automated tools used by many hackers make it easier for people with little technical know-how to cause widespread havoc. Mi2g CEO D.K. Matai estimates that an army of up to 100,000 people is now capable of using such tools. "In the next few months Slammer variants could emerge which are capable of being used alongside physical attack by radicals," said Matai. "This could achieve a significant multiplier effect given the dependence and demonstrable lack of preparedness of the globally networked society." Logs on computers seized by U.S. forces in Afghanistan last summer reportedly showed that al-Qaeda operators spent significant time on sites that offer software and programming instructions for the digital switches running power, water, transport and communications grids. Hacking has already been used to wreak environmental havoc. In 2001, a hacker was jailed for breaking into the computer network of a government-run sewage plant in Queensland, Australia, and deliberately releasing thousands of liters of raw sewage into public waterways. In some ways, the cyberterrorists are merely reaping what Western technology has sown. Always-on broadband connections and high-speed wireless networks expose a soft techno-underbelly that's irresistible to hackers. And the financial fallout of such attacks is multiplying as corporations and financial institutions carry more and more mission-critical data on their networks. Among other things, the Slammer worm hindered American Express's network and the operation of Bank of America's 13,000 ATM machines. "If we are to avoid a financial Chernobyl in future we need to imagine and analyze what would happen if certain systems were hit," said Davos cyberterror panelist Leonard Schrank, CEO of Brussels-based swift, a networking service used by 7,000 financial institutions which carries 1.5 billion messages per year with a daily value estimated at $6 trillion. Experts argue that government and business have to work together to create a framework for security, because government doesn't have the capacity to police the Internet, and the private sector can't coordinate a solution on its own. Erkki Liikanen said in Davos that the E.U. is planning to announce a proposal next week for a European Network and Information Security Agency. The agency would collect and analyze data about emerging risks and help set up a Europe-wide computer attack alert system. The U.S. government is considering setting up a Web-wide monitoring center called the Global Early Warning Information System, equivalent to the hurricane detection network, to spot anomalies on the Internet. Within moments of identifying an attack, the agency could limit damage by sending out orders to Internet service providers to shut down ports of entry into particular countries. Such a service is still probably about two years away, says Thomas Ohlsson, vice president of business development and marketing for Matrix NetSystem, an Austin, Texas-based company which tracks Internet performance data. In the meantime, businesses are on their own. Slammer made clear that lots of corporations have not yet installed a fix for the flaw in Microsoft's SQL server that allowed the worm to infect database servers and send out thousands of probes a second, saturating many data pipelines [EM] even though they have known about the problem since last July. Many companies have cut back their IT departments, and remaining staff can barely keep up with assigning new e-mail accounts, never mind troubleshooting, says Ohlsson. There is plenty to be done: most corporate and government networks have approximately 4,000 identified vulnerabilities, says Ohlsson, "so for every one you patch there are 3,999 left to exploit." Catching the exploiters is extremely difficult, because the culprits often use stolen credit-card numbers to open Internet accounts and use various tricks to avoid the cyberradar, says Davos attendee Larry Page, a co-founder of the Google search engine. What is needed, he said, is a global approach to security. But there's a catch: companies will never have complete Internet security so long as hackers can hide behind privacy rules that prevent the authorities from hunting them down. While the role of governments and the prickly issue of privacy is being sorted out, bluechip corporations are banding together to tackle the problem on their own. Over 250 around the globe have signed on with a U.K.-based group called the Information Security Forum, which advises its members on securing their networks. Still, there is a feeling these days that no one can do enough. The CEO of swift, the financial network, summed up what many at the World Economic Forum were thinking this year. Says Schrank: "I've never been more secure and felt more insecure."