April 10, 2009 at 8:00 AM ET
Carl Sagan liked to say, "Extraordinary claims require extraordinary evidence." Well, the tech world has been full of extraordinary claims lately. A worm name Conficker that promised "Doomsday." A botnet that helped the Chinese spy on the Dalai Lama and more than 100 nations. The U.S. power grid infiltrated by the Russian and Chinese governments.
It's been a bad week in cyberspace.
Or has it?
Conficker turned out to be a dud -- at least on D-Day of April 1 -- like so many other predicted virus disasters before it. The Canadian group that exposed the Dalai Lama hack attack says in its own report that many of the intrusions may have been "coincidental" – random acts of cyber-mischief, in other words. And the same officials who warned of the grid attack in Wednesday’s Wall Street Journal story also said they "don't see an immediate danger."
Hard evidence of state-sponsored cyberwarfare – never mind extraordinary evidence -- is strikingly absent from the discussion of these looming techno-disasters. Also absent: any real damage.
On the other hand, here's a hard fact: President Barack Obama called for an immediate review of federal cybersecurity efforts in February, and the report is due within days. Some observers say the timing of the dramatic stories is no coincidence.
"(Security experts) are fighting for budget dollars ... so they're positioning themselves. It's a natural response," said Richard Power, distinguished fellow at Carnegie-Mellon's computer security research center, CyLab. He said he didn't think any of the news stories were inaccurate, though some elements might have come from older incidents that have been "reframed," rather than new threats.
If there is hyperbole, Power said, part the explanation is what he calls the "lost 10 years" for cybersecurity. "It's like time stood still, like the movie ‘Ground Hog Day. ‘We did almost nothing in the last 10 years. We keep having the same discussions. So people are frustrated."
Real risks, real exaggeration
Welcome to the tricky world of securing cyberspace. Few disagree that the risks are real. There's a decade's worth of alarming stories involving old-fashioned utility command-and-control systems. Just last year, a CIA official told a group of security researchers that hackers had infiltrated foreign utility plants and extorted operators for money. But most of the stories rely on anonymous accounts or involve relatively small incidents. Ten years ago, Richard Clarke, then-White House director of cybersecurity, warned of an impending "Digital Pearl Harbor." It never materialized, and the phrase is now a punch line in the security world, with many believing Clark cried wolf at the time.
On the other hand, most observers believe the U.S. government hasn't done nearly enough to secure its critical computer systems. Unfortunately, government money rarely flows to stop a problem before it has serious consequences – consider the levees around New Orleans, for example. So security analysts must walk a thin line between calling attention to real potential threats while avoiding hyperbole. The real danger created by the boy who cried wolf, you might remember, is that when the risk was finally real, no one took him seriously.
That time might be now, said several analysts interviewed for this piece, including Power.
"The stuff we were talking about 10 years ago is reality now," he said.
Alan Paller, director of research at security firm SANS, said he thought all three threats were "extraordinarily serious. “ He said a source had independently confirmed the Wall Street Journal story that computers at U.S. utility firms had been infiltrated by Trojan horse programs controlled by foreign governments. He declined to provide additional detail.
Paller was the first to report last year on the CIA’s claim that utility firms were being targeted by extortionists.
But Chet Wisniewski, an analyst with British security firm Sophos, is skeptical. He pointed to the lack of a smoking gun involving state-sponsored hacking.
"If you're going to accuse a foreign government of committing this kind of crime, I would hope you'd say more than 'we think' this happened," he said. "The accusations seem to be coming from the government, and I guess we can decide if we want to trust their word."
There also are alternative explanations, such as the possibility that organized crime gangs could have orchestrated all three attacks for profit, he said.
But even Wisniewski agreed that cyber-spying is almost certainly a part of every nation's military strategy, even if individual stories may include exaggerations. He said he was encouraged that the Obama administration ordered the security review, which he said demonstrated "they're serious about this problem."
While these three cyberattack stories have arisen with a week's time, each should be viewed on its own merits, he said.
The story of GhostNet and the Dalai Lama hacking, first reported in the New York Times, includes by far the most specifics.
GhostNet was studied for nearly a year by Canadian researchers who would likely not be influenced by U.S. government budget decisions.
The 50-page report by researchers based at the University of Toronto included screen images from software that allegedly was used to infiltrate computers in the Dalai Lama's home office and other "high value target" in dozens of nations, including foreign affairs ministry computers in Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan. In one tale retold in the report, a Tibetan sympathizer was refused entry into China and shown printouts of private chat room conversations she had, which could have been gleaned by a government- infected computer.
Tibetan computers had been targeted by relatively tame Web site attacks dating back at least as far as 2002. When the Toronto group investigated attacks timed around the 2008 Beijing Olympics, it discovered compromised computers in the Dalai Lama’s personal office.
The attacks weren’t necessarily sophisticated, but they were disturbing. In one example, e-mails were sent to workers in the Dalai Lama’s person office with an attached Word document titled "Translation of Freedom Movement ID Book for Tibetans in Exile." But the document was infected, and it turned a worker’s computer into a "bot," that could be controlled remotely by the attacker, according to the researchers.
The virus used to infect the Tibetan’s computer was not well-known by antivirus firms -- only 11 of 34 popular antivirus products were able to detect the firm, the Canadian researchers said.
Most "bot-nets" -- armies of compromised computers -- are built to a grand scale, so they can be rented out to spammers or other hackers. But GhostNet is relatively small, the group said, and 30 percent of the computers in it were those of "high value" targets, like the Dalai Lama. That alone led the Canadian group to speculate that a spy agency was behind the rogue network. Still, the group offered many qualifications along with its guess.
"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value," its report stated. "It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental."
The use of bot-nets by hackers has exploded during the past two years. Last year, Google's Vint Cerf -- one of the creators of the Internet -- speculated at a security convention that perhaps 100 million computers around the globe were infected, making it plausible that the Dalai Lama's computer was not targeted by the Chinese government, but rather swept up in a larger attack by a for-profit hacker.
A third intriguing possibility, Paller notes, is that organized criminals not directly affiliated with the Chinese government are doing spy work with its tacit blessing, or perhaps even with government funding.
He also said it could be speculated that any bot-net was the work of state-sponsored hackers, but that the Times story was unique because the Dalai Lama was involved, and willing to speak out about the incident.
2: The power grid
The idea that a disruption in power or water service could be used to augment a traditional military attack has been floated for years. In that sense, there's nothing new about speculation that foreign governments have mapped vulnerabilities in U.S. utility networks.
But Paller said recent discussion of upgrading those networks has paradoxically raised the risks.
In order for so-called "Smart Grid" technology, which would refine power distribution, to work, new power meters networked to talk with each other to balance electrical loads would need to be installed in many locations. But that feature would make them much more vulnerable to attack, Paller said. By allowing remote access to power meters, hackers could break in and shut meters off on a mass scale, for example.
At a recent conference, he said utility security experts were concerned the threat wasn't being taken seriously
"There was real anger by the security guys saying these people are out selling new meters that can be taken over by a computer worm," he said. "And once they are, they would be so damaged that people would have to travel to fix them."
Power went further in his assessment of smart grid risks.
"We're going to replace an archaic grid with smart grids, which is also a synonym for stupid grids," he said. "We're at a very interesting moment in time."
Such concerns would provide motivation to highlight risks at utility firms, even without the “smoking gun” of an actual damage. But, Paller stressed that the risks to utility firms are quite real.
3: The Conficker worm
Security experts use the term "spreading FUD" - fear, uncertainty, and doubt -- to criticize the sales tactics of firms that use hyperbole to scare customers into overpaying for security products. The Conficker incident appears to a be a classic example of FUD.
Spurred by a dramatic “60 Minutes” piece, the technology world was abuzz with tales of impending disaster in the days leading to April 1, when Conficker was allegedly set to unleash an ugly disaster in cyberspace. The calamity never materialized, though, leading to accusations that the worm was really an April Fool's joke. One security company even ran a contest to see which media outlet ran the most outrageous headline.
The winner: "Tick.Tick.Tick. Time Bomb Virus to go Off In Hours"
What was the significance of April 1? Infected computers were supposed to be commanded by the virus to check in with a command-and-control server on that date and get new marching orders. But the program has many variants, and the majority of Conficker-infected hosts weren't ordered to check in on that day, according to Sophos.
In fact, "timed" viruses rarely cause trouble, because tech experts have time to prepare for them. It's the surprise virus attacks that cause the biggest problems.
On the other hand, the threat from Conficker is real. The 9 million computers infected with the worm are very likely being used to attack other computers, and used for identity theft or other crimes. A new variant released this week installed “scareware” on victims’ computers, which demands payment from the victim to remove the virus. Getting rid of the program at that point is a serious hassle.
Word of the monster virus was a good occasion for consumers to be reminded about updating their security software. And in fact, about once each year a virus like Conficker captures the public attention. But they rarely live up to the hype.
All roads lead to China
Another reason for Conficker's fizzle: Relatively few of the infected computers – about 4 percent -- are in the U.S., according to a report issued by SRI International in March. About half the Conficker infections were Chinese computers -- or more than 10 times the rate of U.S. infections.
That makes sense, Wisniewski said, because there are now more Web-connected computers in China than any other nation. There's also a high incidence of pirated copies of software in China, meaning users there cannot keep their machines up to date with security patches.
It also means that virtually any Internet threat -- from state-sponsored spying, to organized crime rings, to pranksters -- will appear to originate from China. Smart criminals always use hijacked computer to conduct attacks and cover their tracks. Because the easiest computers to attack are in China, cybercriminals now routinely start their escapades there, he said.
That means researchers need to use great care when concluding that the Chinese government, or Chinese citizens, are behind any computer hack.
"Because there are so many infected computers in China, just because a connection is from China you can't assume the Chinese government is behind it," he said.
This leaves an unanswered question in his head about the recent tales of cyberspying.
"I'm not saying the government isn't behind them,” Wisniewski said. “ But if it were … it’s not likely they’d leave that kind of bread crumb trail behind."