A Chat with Worm Hunter Richard Pethia

Software vendors need to do a better job protecting the Internet from viruses, intruders, and terrorists, says CERT's resident expert

After Richard D. Pethia gets off the phone, he's going fishing. It's a glorious fall day in Pittsburgh, where Pethia has worked for 13 years as director of the CERT Centers, a federally funded research-and-development center operated by Carnegie Mellon University. The 55-year-old Pethia and his team track and record computer- and network-security incidents. It's a high-stress job, and Pethia is looking forward to coming home with some striped bass.

Pethia hasn't had much time for fishing lately. Since the start of summer, a number of computer "worms" (so named because they replicate automatically) have been menacing the Internet. The Nimda worm, for example, hit on Sept. 18. By the end of the day, it had infected more than 100,000 computers. And Nimda came just weeks after Code Red, which rampaged across the Internet in a matter of hours.

When a security breach or virus hits the Internet, Pethia's organization goes into action. First, it disseminates information about the attack and the actions necessary to foil infection. If the warning comes too late, CERT suggests ways to repair the damage. The center also spreads the word to other research organizations and security outfits.


  Established in 1988, CERT is one of the oldest research centers fighting computer viruses and intrusions. It has handled more than 63,000 incidents and cataloged 3,700-plus computer vulnerabilities. Last year, CERT received 1,090 vulnerability reports -- more than double what it handled the previous year. In the first half of 2001, it had already received 1,151 reports. Pethia expects that number to top 2,000 by yearend.

When Pethia joined CERT, the federal government was the Internet's primary benefactor. At the time, he was a researcher at Carnegie Mellon University's Software Engineering Institute, where he worked on programming techniques aimed at making software more reliable. Back then, he recalls, just 20,000 computers were tethered to the Net, most of them used by scientists and engineers -- the first generation of geeks. Today, with tens of millions of computers connected to the Internet at any given moment, Pethia estimates that hundreds of thousands of those units are vulnerable to one form of attack or another.

Now that the Web is used by people representing every level of digital know-how -- from the digitally sophisticated to the technophobic -- the diverse levels of skill make it that much harder to secure the Internet, Pethia points out.

Pethia, who testified Sept. 26 on Capitol Hill about computer security, also discussed a wide range of topics with Ira Sager, managing editor of BusinessWeek's e.biz supplement. Here are edited excerpts of their conversation about ways of making the Web more secure, and also about the vulnerabilities that keep Pethia awake at night.

Q: The topic of your testimony on Capitol Hill was "Information Technology -- Essential But Vulnerable: How Prepared Are We for Attacks?" What's your answer to that question?


Look at our experience with...Nimda and Code Red.... Look at how fast they spread. We're not very well-prepared at all. The Internet is not going to stop working. It is going to continue to operate. And large organizations are taking a lot of the right measures, so the probability of suffering an attack that keeps them off the Internet for a long time is low. But we're still seeing several different types of attacks that have the ability to knock out computers.

Q: If you had to hand out a grade for how well-prepared private and public organizations are, what would you give?


I'd give a C-minus.

Q: In the last few years, have the number and sophistication of computer intrusions been on the rise?


Yes, ever since 1997, when you began to see the widespread use of automated attack tools that allow you to simply push one button. In the last couple of years, we've seen the reemergence of worms. It's possible for these worms to spread without being easily detected. Nimda and Code Red were noisy. I worry about worms that move slowly, more quietly and could infect 10,000 computers before you even know they're out there.

Q: Does that technology exist, or is it something you expect people who write these programs to include in the future?


It's speculation based on the attack technology we're seeing today. In the early '90s, suddenly a hacker with a finger on one key could launch automated scripts [pre-programmed attacks]. After that, they started adding stealth technology such as encryption to mask their attack and communicate with a compromised machine. And they also started to write software to hide what they were doing from the people who manage the computer they took over.

Q: Following the September 11 terrorist attacks, has there been an increase in the number of incidents?


We haven't seen any significant change in activity.

Q: Have you seen any recent examples of cyber-terrorism?


I haven't seen any yet, but I think we could. [Terrorists] could target a specific industry to cause economic damage or fear.... A few years ago, there were attacks against 911 systems in the South.

Q: What can be done to improve security on the Internet?


[There is] a strange kind of complacency. The marketplace isn't demanding higher-quality products. I don't know where to impart the blame. Users have to recognize that, until they demand a higher-quality software [without bugs or flaws], they won't get it. What might have been acceptable five years ago as a commercial product isn't acceptable today. Eventually, the marketplace is going to recognize that, especially after the latest round of viruses. A huge amount of money was spent on cleanup.

We need to virus-proof our systems. We know how to design systems so they can resist viruses. When importing software from the outside into a machine, you can constrain its execution. We just haven't designed systems using that technique. We have to change the way we write application software. And we need to really pay attention to the software flaws that turn into vulnerabilities out there. All the software vendors need to step up and do a better job.

Q: What keeps you up at night?


I don't worry about the cataclysmic event. It's the death by a million paper cuts that worries me. We depend a lot on this information infrastructure [the Internet]. If this were to slowly erode because of a stealth attack, it could take months to get back up.

Before it's here, it's on the Bloomberg Terminal.