Locking Out The Hackers

How to safeguard the Web

The Cabinet Room in the White House was chock-full of high-tech talent. The group included Internet pioneers Vinton G. Cerf and David J. Farber, Cisco Systems Inc. Chief Information Officer Peter Solvik, and more than three dozen other experts from industry, academia, and government--and, of course, President Clinton. They gathered on Feb. 15 to brainstorm over Net security, following a rash of cyber attacks on the world's most famous Web sites. These assaults highlight "how vulnerabilities at one place on the Net can create risks for all," Clinton told the audience. "I don't think we should leave here with a vast sense of insecurity. We're all here; we're going to figure out what to do."

Making the Net more secure is a challenge--and it won't come cheap. But it certainly isn't impossible. Net-heads already have developed a panoply of technologies, such as digital signatures, software filters, and schemes to authenticate people as well as the messages they send. Some of those fixes would make it difficult to fake the address on a data packet that travels the Internet, hamstringing online criminals. In the most extreme scenarios, every packet would be traceable, every sender visible.

Privacy advocates cringe at the more extreme proposals. Fortunately, dire measures may not be necessary--at least, in the short run. Many of the Net's problems can be solved through relatively straightforward measures: Businesses can be more vigilant in guarding against cybercrime, even if it increases technology costs and slows their growth online. Children can be taught computer ethics. The government can enforce stricter penalties against vandals. And pressure can be put on companies with the kind of lax security policies that encourage would-be miscreants. Here are five proposals for making the Net safer, without compromising our privacy or privileges in cyberspace:


There are simply too many things that go wrong with today's software. And hackers know how to take advantage of the weaknesses. "More than 75% of the incidents we see are the direct result of widely known [software] bugs," says Shawn V. Herman, a member of Carnegie Mellon University's Computer Emergency Response Team. Better training for software developers and new programming techniques--such as breaking software into smaller, more manageable chunks--could solve many of the problems. And more real testing--not "beta-testing" in the marketplace--will yield programs that are less vulnerable to attack. "The monster, bloated, multimega office suite is a big part of the problem," says Eric S. Raymond, president of the Open Source Initiative that promotes programs such as the Linux operating system.

Software giant Microsoft Corp. insists, however, that customers will not trade features or functionality for better security. "Chasing software perfection, chasing the last bug, is not what customers want," says Steve Lipner, manager of Microsoft's security response team.

But security, for everyone, hinges on software quality. And quality gets further compromised by companies' mad rush to launch e-businesses. The Web is ballooning, with over three million new pages a day. Those numbers represent a huge consumer market. Serving that market requires new software, which gets cranked out too fast and is often installed incorrectly. In 30% of the customers it tested, IBM found that firewall security software used to protect Web sites was improperly installed--aggravating the bug problem and leaving more openings for hackers. "Speed and money are antithetical to security and reliability," says Peter G. Neumann, a computer scientist at SRI International.

What's more, at most colleges teaching computer science, techniques for developing secure code are not even part of the required curriculum. Says Charles Palmer, director of network security for IBM Research: "Among software engineers, [the study] is looked at as phys ed."


The ability to fight off some types of denial-of-service attacks is already built into the design of the Net. Each packet of data flying around in cyberspace bears a return address. If that weren't the case, Yahoo! Inc. wouldn't know where to send the Web pages your browser requests when you visit their site. But there are ways to fake a return address, known as "spoofing."

During the recent Web site attacks, up to one billion bits of data per second were streaming at Yahoo's overburdened servers. Since much of this deluge consisted of messages from legitimate computers responding to bogus packets with forged Yahoo addresses, the site had no simple way to defend itself. But if the Internet service providers that were handling that traffic had been equipped with certain types of filters, they could have spotted the spoofed packets and sent them packing.

For such a filtering effort to work, according to Steven M. Bellovin, Internet security researcher at AT&T Labs in Florham Park, N.J., virtually all the major ISPs would have to add some filtering software to their routers--the high-power computers that serve as highway exchanges on the Internet. This will cost the ISPs, who must upgrade to faster routers. And the filters will take a toll in network speed. But once these routers were reconfigured, they would simply refuse to deliver packets that were not properly labeled.

This idea is extremely popular with Net engineers. But some ISPs have reservations. Sprint, for example, would have to put spoof filters on 6,000 routers managing customer access. That would entail a lot of support, says Mark Hansard, director of network security services at Sprint Corp. And in some cases, such as at universities, where the network configuration changes quickly, the filters may not work, says Patrick J. Cain, security expert at GTE Internetworking in Burlington, Mass.


Technical fixes are only part of the solution. Making the Internet secure is also a matter of holding people responsible. "We need to make people liable for the damage they cause," says David Brumley, a Stanford University software developer who helped the Federal Bureau of Investigation track down suspects in the recent attacks.

That means tougher law enforcement. Crack down harder on the cyber attackers, and hacking will suddenly look less attractive--as experts told Clinton at the summit. Bruce Schneier, chief technical officer at Counterpane Internet Security Inc., would go further: He suggests making it illegal to post software that was developed with the sole purpose of launching attacks. "There is no legitimate use for these tools," he insists.

Accountability means more than beefier cybercops. The Internet is poised to make the final leap from its academic roots to a full-fledged business system, which means it's time to bring in the lawyers. "We are right now on the cusp of seeing the standards for what is negligent emerge," explains James X. Dempsey, senior counsel at the Center for Democracy & Technology in Washington. He suggests that, before long, people who let their systems be commandeered may be held liable for not taking appropriate security measures.

This is not so far-fetched, experts say. If you slip on snow outside a neighbor's home, you can sue him for failing to shovel. The threat of lawsuits and other potential hits to the bottom line may persuade boards of directors and insurers to step up calls for increased security at e-commerce firms. Says Harris Miller, head of the Information Technology Association of America (ITAA): "What we have are a whole bunch of forces coming together to make companies move security higher on their list of priorities."


Some solutions are merely common sense. Companies can't just install firewalls--they must monitor them, learn the peculiar signs of an attack, and have policies that ensure a speedy response. Data have to be backed up, even if that adds costs. Administrators have to update software regularly, read the bulletin boards for announcements on bugs, and install patches. In many cases, companies can actually contract with their ISPs to install filters and monitoring systems that will adjust Net traffic. Sprint, for one, offers such services free of charge.


Parents and schools need to teach computer ethics. Kids are being handed powerful tools before they reach puberty. Says William C. Boni, a computer security analyst with PricewaterhouseCoopers: "We do drivers' education before we turn them loose. Why not do computer education before we turn them loose on the Information Highway?"

Well, so far no one has been killed on the I-way. But even a small dose of social responsibility training would go a long way to quelling hacker mischief--preferably before high school.

Some programs are beginning to dribble out, but funding is inadequate. "Hacking is not funny, not cute, and not something that should be admired," says Miller of the ITAA. The group recently teamed up with the Justice Dept. on plans to spend up to $2 million to educate kids. The ITAA is taking its time, conducting focus groups and other research to come up with a message that actually stands a chance of getting through to kids.

Locking Out the Hackers
Locking Out the Hackers

None of these five measures would impose ungainly bureaucratic layers on the Internet. And in terms of privacy threats, their impact simply pales beside the aggressive online tracking practices that companies already deploy with abandon.

The solutions lie in the realms of culture, ethics, and technology, all of which can be molded without undue fuss by intelligent, timely decisions. "When problems come up, one of the strengths of the Internet is that people get together and solve them," says William R. Cheswick, a benevolent hacker-in-residence at Lucent Technologies Inc.'s Bell Laboratories. "In some sense, the Net is self-repairing." In that case, let the healing begin.