Cybersecurity's Leaky Dikes

While interest is rising in protecting computer networks, too often the tools aren't powerful enough to keep hackers out

As head of the National Infrastructure Protection Center's office in Pittsburgh, FBI supervisory agent Dan Larkin mans a sentinel post on the front lines of the war against cybercrime. Rather than M-16s, his soldiers tote powerful computers, which they use to unmask hackers who break into networks and steal valuable information. They also try to intercept so-called script kiddies, who launch damaging denial-of-service attacks that flood Web servers with bogus queries and freeze company online operations.

Rising interest in cybersecurity, spurred in part by the terrorist attacks of September 11, has vaulted Larkin and his 110 FBI cohorts staffing the NIPC into a much more visible role. Only problem is, the demands on them have outrun the capability of the tools available to do the best job possible.

True, software exists that can quickly mirror-image the hard drive of a confiscated computer, thus making it possible to dissect evidence without damaging the original material, says Larkin. Try to do something more sweeping, however, such as sifting through the massive logs of data that record activity on every computer network, and Larkin's cops might as well be on foot patrol. The tools for heavy-duty cybersleuthing remain rudimentary -- causing a "considerable amount of frustration" within Larkin's team at its inability to do more.


  It's a familiar sentiment. The lack of log-sifting tools is just one of the obstacles that frequently short-circuit computer cops, forcing them to spend on average 23% of their time per investigation poring over logs, according to a survey of 151 cops released on June 18 by Dartmouth College's Institute for Computer Security Studies.

Other items on the investigators' wish lists include technology to better track computer criminals' unique Internet protocol addresses, plus tools to quickly map the topology of computer networks to learn where breaches may have occurred. Such capabilities are a must if FBI agents and others are to successfully investigate increasingly complex cyberattacks, says Larkin.

The new focus on security of every kind has prompted more and more companies to get serious about locking down their networks. And tools to bar the network gates have become more affordable and more widely accepted by both the private and public sectors. Yet the virtual threats continue to evolve, in part because hackers are developing more sophisticated tools as well.


  Increasingly, high-level assailants are finding ways to camouflage their cyberattacks. That includes sending destructive data in numerous fragments that only assemble only once they arrive at their ultimate targets inside firewalls and intrusion-detection systems -- thus breaching conventional security.

Other tools of destruction now sport code that morphs regularly, making it doubly hard for automated security software to verify that an attack is in progress. "The tools [with which to defend networks] are getting better, but systems we are trying to protect are becoming so complex that we're all losing ground," says Bruce Schneier, chief technology officer for Counterpane Internet Security in Cupertino, Calif.

That shows up in the statistics. According to the CERT Coordination Center, a government-funded cybersecurity clearinghouse and research group at Carnegie Mellon University in Pittsburgh, companies and organizations reported 26,829 security incidents during the first quarter of 2002. That compares with 52,658 for all of 2001, and 21,756 in 2000.


  At the same time, the number of software security vulnerabilities -- bugs in code that can allow intruders to break in or hackers to crash networks -- reported to CERT has soared. In 1995, the group received 171 vulnerability notifications. That figure rose to 2,437 in 2001, and to 1,065 in the first quarter of 2002 alone. "It's simply a case of low-quality security in a lot of our software," says Rich Pethia, director of CERT.

Worse yet, the cost of hacker attacks appears to be rising. According to the 2002 "Computer Crime & Security Study," released on Apr. 7 by the FBI and the Computer Security Institute in San Francisco, some 90% of the 503 respondents from large corporations and government agencies said they had suffered some sort of cyberattack or security breach in the past 12 months. The average financial toll from these has risen to $2 million per instance in the latest survey, from $500,000 in 1997.

Those self-reported losses may be low, as companies frequently are loath to reveal the true cost of security lapses. With awareness now higher than ever, companies have started spending more on cybersecurity. Despite the rising risks, "most big companies still spend more on catering each year than they do on cybersecurity," laments the security manager at a multibillion-dollar corporation.


  The roots of the security threat reach back to the early days of the Internet. The languages and protocols that allow so many disparate systems to talk to each other were never designed for security, says Peter Neumann, a pioneer in secure computing systems and a principal scientist at SRI International, a private research lab in Menlo Park, Calif. That's because the systems built back then were designed for a small, known community, not a global village that logs on continuously.

This endemic weakness has become increasingly evident in recent months. Researchers have discovered glaring vulnerabilities in some of the most basic building blocks of data communications, such as the ANS.1 protocol used for everything from remotely managing power plants and nuclear reactors to passing basic instructions to switches and routers on a network. At the same time, researchers are spotting more problems in all types of application software.

Such revelations have added even more impetus to corporate efforts to shore up cybersecurity. According to tech consultancy Gartner Dataquest, the worldwide security software market should hit $4.3 billion in 2002, up 18% from 2001's $3.6 billion. That's at a time when companies are reining in virtually all other types of tech spending.


  While everyone acknowledges that security software and hardware are improving, the current crop of products still leaves a lot to be desired, according to experts such as the FBI's Larkin. Just ask Bruce Hughes. As a manager at prominent computer security certification and testing company ICSA Labs, Hughes test-drives and rates dozens of virus-prevention and other software tools each year.

Hughes lauds the increased availability and affordability of computer-security products. "If someone had said eight years ago that you could walk down to Staples and buy a high-powered firewall for $200, people would have laughed," he says. At the same time, "some security products are getting much more difficult to use," he adds. "With so many options, you can easily forget to change the configuration or skip right over something you could have configured."

Worse still, even some computer-security techniques remain problematic. Cryptographic programs designed to mask information or communications far too often have glaring flaws that make it easy to crack their codes, according to ICSA tests. That seems particularly galling, since the cryptographic standards behind these programs have been around for years and have been put through rigorous academic and real-world testing. "Even the stuff that you think is easy you screw up all the time," says Counterpane's Schneier.


  In fact, Schneier and others contend that the best cybersecurity weapon remains the gray one between the ears -- that dependence on automated software will never eliminate the need for brainpower. "Counterpane uses human judgment. We have a system that has people involved. That's the only way to deal with complexity," he says.

Still, it's no surprise that information-technology staffs are agitating for better-made software. This is key, says CERT's Pethia, because the basic code of so many of today's software products was built before cybersecurity was a burning issue. Microsoft (MSFT ), Oracle (ORCL ), and Apple (APPL ), among others, have stepped up their efforts to write security protection into their products. Eliminating vulnerabilities from the widely used software these companies produce will give specialized security products a better chance to succeed, says Pethia.

The cybersecurity front has had some bright spots. Many companies now demand that partners or suppliers they link to electronically have strong cybersecurity. Insurance companies are even forcing the issue, by requesting more stringent audit and security measures from the companies they deal with.

Moreover, some of the tools on Larkin's wish list appear to be in the wings. The first generation of highly advanced log-management software, from companies such as Network Associates and Network Flight Recorder, is hitting the shelves right now.


  Perhaps most important, the federal government finally seems to have grasped the importance of cybersecurity. President Bush has provided less than $100 million for research and development on such security so far, but he has proposed hundreds of millions for cybersecurity efforts in his fiscal 2003 budget, including $11 million for the creation of a government cybersecurity corps, which would pay the university tuition of students who agree to do an as-yet-undetermined number of years of government cybercrime work after graduation.

Bush has also proposed to upgrade the FBI and other government law enforcement bodies, a chunk of which is bound to go toward cybersecurity. For Larkin and his Pittsburgh charges, that's a vast improvement over the days when computer security was an ugly stepchild of law enforcement. Still, it's only a start on what will surely be a long and possibly tortured effort to improve security technologies, give humans better tools, and keep bad guys in cyberspace at bay.

By Alex Salkever

Before it's here, it's on the Bloomberg Terminal. LEARN MORE