Blindsided

The Defense Department's electronic networks, the nervous system that controls America's military muscles, bristle with more than 3 million desktop computers. It is a battlefield so big that even the soldiers who defend it say it's beyond their control. Vast streams of data and commands, from the mundane to the most secret and restricted, pulse through more than 1,500 internal networks and 100,000 data servers. And at numerous locations, this behemoth connects to the Internet. These connections help America project its military might across the globe. But they also open the military computer network to attack. And it is attacked ferociously. Once every 12 minutes. Security experts can't say how many Zero Day exploits are circulating, but so far, they are rare. A successful attack offers a precious glimpse into the digital underground. Network defenders got just such a peek behind enemy lines a little more than a year ago. Keeping a network exposed to attack is like withholding treatment from a sick person in order to study a virus. Network defenses mirror human immune systems. A Zero Day exploit "is a microbe or a pathogen the body has never been exposed to," says Steven Hofmeyr, the founder and chief scientist of Sana Security, an Internet security company in San Mateo, Calif. More than a week after the 2003 Zero Day attack, the Air Force had contained the exploit in its own networks, protecting the other military services. The intruder did no damage, hitting only unclassified systems. But his rifling through files looked like reconnaissance, and Bryan feared the intruder could launch attacks from inside the network. Forrester's decoy sat untouched. If the hacker took the bait, revealing his secret, the Air Force could permanently block him, instead of playing a dangerous waiting game. Navy systems were knocked off-line. But for all the hubbub, the damage from the Zero Day attack worldwide was minimal. It was focused. It was mitigated. Agencies and corporations weren't brought to their knees. But to think that means the attack couldn't have been worse-or that it's not a sign of things to come-would be folly, warn Zero Day watchers, who are accustomed to being labeled histrionic doomsayers.

Zero Day attacks come without warning, exploiting computer weaknesses known only to the attacker. They're poised to proliferate and there's no defense against them.

Most attacks fail. Digital assailants bombard the networks with worms, viruses and other digital artillery, known as "exploits," 47,000 times a year. Most don't penetrate the outer defenses. Rings of sensors and firewalls detect and destroy electronic invaders. The military network, though an enticing target for hackers, spies and enemy states, remains mostly impenetrable, its defenders say. But now and then, something slips past.

When an exploit breaches the outer realm through a structural weakness in the network, it sets the defenders' hair on end. A well-tuned worm or virus can corrupt files and clog network arteries. Some exploits can put whole portions of the network under the intruder's control. Every network, military or civilian, government or nongovernment, has weaknesses. But defenders usually know where they are vulnerable and, with warning, they can thwart assailants.

Recently, however, a new form of attack is turning the tables. Defenders never see it coming and discover it only after its damage is done. Defenders have tagged it with an ominous moniker: Zero Day.

Zero Day attacks mark a turning point in the cyber war. For some time, network protectors have held the high ground because software manufacturers publicize vulnerabilities in their products as soon as they're discovered, usually by the companies themselves or by freelance security researchers. The firms distribute patches so users can fortify their perimeters. Most attackers wait for these announcements and then build exploits aimed at the vulnerable spots, hoping to catch companies and computer owners napping. Smart defenders patch their systems quickly. But most tarry, leaving themselves defenseless to fast and sophisticated foes.

But there is no warning of Zero Day attacks. They target vulnerabilities only attackers have discovered-holes unknown even to software architects. The Zero Day attackers secretly penetrate a system. They can dominate it undetected. Zero Day exploits are the stealth bombers of the Internet, and they turn traditional network defense on its head.

It Comes Quietly

In early 2003, an Air Force computer technician monitoring a Web server, at a location the Air Force won't name, noticed strange activity on the machine. Someone had rigged the server with a new user account and several aberrant files. The technician was lucky even to notice the irregularities, and he was so startled that he alerted the Computer Emergency Response Team, an electronic SWAT team stationed at Lackland Air Force Base, Texas. CERT computer forensics experts scrambled. Checking the machine's log, they saw it had been connecting to a restricted nonmilitary network. Typically, those include online casinos and pornographic Web sites.

But investigators found no corresponding inbound connection a digital attacker could have used to gain entry. How could that be? If someone had hacked the system, then how did he get in? The absence of an inbound connection could indicate an inside job: an Air Force employee manipulating the system. But that theory fell apart when, a few days later, investigators discovered other Air Force machines around the world connecting to the same restricted site. This was no insider. It was a never-before-seen vulnerability. Zero Day had arrived.

From the perspective of Maj. Gen. David Bryan, who is in charge of defending all Defense Department computer networks, this was a first strike. The phantom intruder was stealing files from across the Air Force network. At the time, the U.S. military was gearing up for the invasion of Iraq. An air attack on Baghdad would comprise the first wave. A saboteur running loose in the Air Force network was especially unwelcome.

Bryan weighed two choices. He could block the intruder by restricting his online identifier, his Internet protocol address. But the intruder could switch identities. And blocking wouldn't reveal the vulnerability the hacker was exploiting. He'd simply use a different address and the same vulnerability to re-enter.

The second option: Bryan could wait. The Air Force Office of Special Investigations had been called in and had begun monitoring the hack as a criminal matter. Don Forrester, the unit's chief computer investigator, hoped he could observe activity on the infected machines to find the hole. Bryan gave Forrester a week, and a cat-and-mouse game ensued. Bryan wondered how much leeway to give the investigators. Was it better to contain the intruder or give him some room, maybe by putting out tantalizing files to see what he was after? The days dragged on, but Forrester was no closer to plugging the hole. The vulnerability remained invisible.

Forrester made a final plea. Let us hook up a decoy, he proposed, a machine like the victims, but one that hadn't yet been compromised. The decoy was rigged with monitoring equipment. This time, when the intruder went after the vulnerability, Forrester would see it. Bryan acquiesced and gave the investigators 24 hours. But after that, he would block the Internet address.

Out of Time

Healthy networks, like healthy people, can fight off viruses. But coping requires antibodies and networks have none to Zero Day exploits. Early warning systems, sensors and firewalls are impotent. The system has to be infected before the exploit can be fought. That makes a Zero Day exploit "any vendor's worst nightmare," says Mary Ann Davidson, the chief security officer at Oracle Corp., one of the biggest software providers to the federal government. And such exploits are on the rise, she warns.

The time between a vulnerability announcement and the first attempt to exploit it continues to shrink. Six months passed, from June 2002 to January 2003, between Microsoft's announcement of a weakness in its server software and the attack by the Slammer worm that exploited it, knocking phones and automated banking machines off-line. But, later that year, it took just 26 days for a hacker to release the Blaster worm after word came out about weaknesses in numerous products, including Microsoft's most popular desktop operating systems. At the time, Blaster was the fastest spreading worm in history, infecting hundreds of thousands of computers in a few days. Later last year, an exploit emerged just a week after the announcement of a vulnerability in a component common to more than two dozen software programs.

It's hard enough to get thousands, perhaps millions of users to patch a well-publicized hole. But when the window of opportunity closes in a few days, every attack is like Zero Day.

The Battle Begins

The clock ticked down. Forrester's 24 hours nearly were up when his quarry finally bit, enabling the Air Force to gather priceless intelligence. The hacker had exploited a Web site program called Internet Information Services 5.0, made by Microsoft. Microsoft products are everywhere on Defense Department networks. And, Bryan notes, those products contain hundreds of vulnerabilities.

An Air Force security technician called a counterpart at Microsoft headquarters, sending the company into full alert. Technicians worked around-the-clock for three days to confirm the vulnerability and develop a patch. "Microsoft took it very well," Forrester says, adding that military officials "were very impressed" with the prompt response. Microsoft also mounted a defense. A broad base of private sector customers uses the IIS software. They, too, could be under attack and not know it. And they were.

On March 17, 2003, Microsoft warned its customers that the previously undiscovered vulnerability had let hackers take control of corporate Web servers. Microsoft slapped the Zero Day vulnerability with its highest "critical" rating and warned that the hole could let hackers "run code of [the] attacker's choice" on an infected machine. An Internet security company in Atlanta reported that the exploit already was circulating on the Internet. Hackers now could arm themselves. Security experts braced for a global onslaught.

Further research showed the vulnerability was more severe than first thought. Web servers were affected. But the root weakness resided in file systems in the core of the Windows 2000 operating system for personal computers. Headlines announced that Microsoft's flagship product was under attack. Zero Day had come quietly, but now, it had the world's attention.

Yet there was no digital Pearl Harbor. In June, e-mail spammers used the vulnerability to send large amounts of junk mail through Microsoft's Hotmail service, but this was mostly a nuisance. High-profile and ferocious worms such as Blaster and SoBig-which displaced Blaster as the fastest spreading worm in history-also were grabbing headlines. Security experts refer to that one "horrible week" in August as the worst for worm attacks, but only one appeared to have fully exploited the Zero Day hole the Air Force discovered.

Ironically, a military service suffered the worst damage. On August 20, the Navy reported that a worm called Welchia had infected 100,000 computers on the Navy Marine Corps Intranet by targeting the Zero Day hole. About three-quarters of the Navy's global network was disabled, officials reported. Bryan's staff had issued a departmentwide alert and a warning to patch systems. But Welchia found the Zero Day hole before the Navy did.

New Day Dawns

Howard Schmidt served as second-in-command of federal cybersecurity at the White House from 2001 until April 2003. He and his boss, Richard Clarke-who also was the government's counterterrorism coordinator-were called "Cassandras of the online world" for proclaiming Zero Day was near, Schmidt says. But today, their concern appears justified. The time between vulnerability and exploit dwindles. Worm attacks are at an all-time high. And attackers are aiming their creations at several publicized vulnerabilities at once. If hackers combined their techniques, built a fast-spreading worm armed with one or more Zero Day exploits, the world might witness the big attack Schmidt and others have predicted.

Before he left government, Schmidt warned, "Cybersecurity cannot now be reduced to a second-tier issue." The Homeland Security Department is responsible for safeguarding the nation's networks, but it has been criticized for not according the effort sufficient priority and for making it the responsibility of low-level officials. The department did not respond to repeated requests for comment for this story.

The government increasingly is seen to be complacent about cyber war. The House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census gave federal agencies a D in computer security in 2003, up from an F in 2002. Agencies cannot undertake new projects without paying better attention to security. The Office of Management and Budget now requires detailed business cases, including security plans, before it will seek money for an agency's project.

Across government, security policies are inconsistent. Some agencies apply patches quickly. Some don't. Bryan's Defense Department team responded to its Zero Day with militaristic precision. But most agencies-and corporations, for that matter-take a half-hearted approach to defending their networks, ceding the high ground to hackers. In the meantime, as attackers sharpen their skills, Zero Day draws near.

NEXT STORY: Come Together