Sabotage in Cyberspace: The Coming Electronic Pearl Harbor

by Mark Ward

New Scientist 14 September

A WAR council met in Washington DC last week, and it had nothing to do with Saddam Hussein. Generals, politicians and intelligence agents spent two days discussing how they should confront another foe--- one that is both ubiquitous and invisible. They are convinced that this enemy already has the expertise to invade and paralyse any country it cares to target, and that it is only a matter of time before it strikes.

The threat is information warfare, and the enemies in question those wily information warriors more commonly known as computer hackers.

Speakers and delegates were united in their belief that hostile foreign governments or groups were actively recruiting hackers to attack and disable data networks in Western countries, rendering them defenseless and allowing terrorists to mount attacks with impunity.

The theory that legions of hackers are poised to send networks crashing down around our ears is gaining in popularity. An emergency meeting of the G7 group of leading industrial nations in late July, called in the wake of the bombing at the Olympic Games in Atlanta and the crash of TWA flight 800 from New York, debated ways to deal with terrorists. All the attending nations agreed that more had to be done to control what information was available on the Internet.

Convinced that an electronic Pearl Harbor is imminent, the US is already taking steps to protect itself. Jamie Gorelick, deputy attorney general, has called for an effort similar to the Manhattan Project, which developed the first atomic bomb, to harden federal computer systems against electronic attack. In a speech in June about information warfare, Gorelick warned: "As we become more interconnected, we are also more vulnerable to attack." Later the same month his fears were echoed by John Deutch, intelligence director at the CIA. "The electron is the ultimate precision guided weapon," he told a Senate government affairs committee meeting, adding that the US should prepare itself for "very, very large and uncomfortable incidents of cyberwarfare".

But despite these prophesies of doom, the threat from electronic warfare appears to have been vastly overblown. A report entitled Security in Cyberspace, prepared by Congressional staff investigators Dan Gelber and Jim Christy and released as Deutch was testifying to the Senate, revealed that the only evidence the CIA could muster to support the claims of its intelligence director "consisted of limited anecdotal information". And a three-year survey of 10 000 organizations by Britain's National Computing Centre in Manchester, which provides advice on information technology, concluded that companies were more troubled by viruses, errors by staff and untested software than information terrorists. Only 3 per cent of those surveyed said they had been victims of hackers.

Hacking is becoming increasingly widespread, but most hackers insist they are not out to terrorise companies or governments by deleting files or crashing servers. Instead they are dedicated to what they call "ethical hacking". This involves finding ways into computer systems for the pure intellectual excitement of it. At the same time, a hacker can show the owners of the system that their security can be breached.

One group of hackers, Agents of a Hostile Power, put out a press release claiming it was interested only in ethical hacking. Any member finding a "hole" in a network would alert the administrator of that system so it could be patched and the security of the site improved. The group's name is a parody of a quote from John Austen, the retiring head of Scotland Yard's Computer Crime Unit who said in an interview that he feared gullible computer hackers would be taken advantage of by "agents of a hostile power".

...(snip)

But despite the lax security of many networks, claims that hostile governments or terrorists are seeking to exploit the gaps have not withstood closer inspection. The CIA bases its calls for greater control over the Internet largely on anecdotal evidence, such as the story that hackers sympa thetic to Saddam Hussein offered to disable American military communications during the Gulf War. No evidence has ever emerged to substantiate this.

The CIA also makes much of the story of Richard Pryce, also known as the Datastream Cowboy, and Mathew Bevan, or Kuji, as proof that foreign powers are trying to steal secrets. The pair used false computer accounts in Latvia to enter the systems at NASA's Goddard Space Flight Center in Greenbelt, Maryland. The computer police who were tracking the hackers cut the connection, presuming that spies from Eastern Europe were hunting for information.

But shortly afterwards they caught up with Pryce, and the truth turned out to be rather different. Far from being a hardened spy, Pryce was 16. When he realised he was going to be arrested he curled up on the floor and cried. Kuji remained at large for over a year. The authorities assumed he was a spy who would never be seen again. But on 23 June this year he was tracked down in Australia and arrested. He is a 21-year-old computer technician.