Mounting a Defense

he Feather River flows down the Sierra Nevada Mountains into Lake Oroville in northern California. The massive Oroville Dam holds back the 690-foot-deep lake. Many of the 60,000 people who live in Oroville, just four miles from the dam, enjoy boating and fishing on the 3.5 million-acre lake. Just 60 miles south is metropolitan Sacramento with its 1.5 million people.

In 1992, a reclusive young man from Portland, Ore., used his computer to gain access to the control systems for all the dams in northern California. He first penetrated the Bureau of Land Management's computers in Portland, which provided the system connections he needed to enter the dam controls. PhantomDialer, or PhantomD as he was known among hackers, could have opened the gates of the Oroville Dam and flooded the surrounding region, causing incalculable damage and loss of life.

"Dams are a phenomenal stored energy weapon," says Stephen Northcutt, an expert on information warfare and director of the SANS Institute's Global Incident Analysis Center. "Airports are below dams. Housing developments are below dams. Military bases are below dams."

PhantomD spent 12 to 13 hours each day at his computer breaking into scores of computers, in-cluding systems containing sensitive information vital to national security. His motives apparently were not evil. But with hostile intent, he could have been deadly.

The rapidly growing Internet is a ripe target for computer-based attacks. Governments, businesses and citizens increasingly are interconnected, offering cyberterrorists and computer criminals the chance to wreak global havoc. Free and easy-to-use hacking tools are widely available on the World Wide Web, improving the odds for hackers intent on destruction.

National resources connected to the Internet-such as the Oroville Dam-are vast and growing. The federal government is moving rapidly to provide its services through the World Wide Web. The Internet's international expansion has allowed enemies heretofore limited by geography to expand their reach. Those charged with protecting the United States' critical infrastructure worry that a PhantomD with malicious intent soon will appear.

"Today the cyber economy is the economy," Condoleezza Rice, President Bush's national security adviser told technology professionals in March at a U.S. Chamber of Commerce conference in Washington. "Water supply, transportation, energy, banking and finance, telecommunications, public health-all of these rely upon computers and the fiber optic lines, switches and routers that connect them. Corrupt those networks and you disrupt the nation. It is a paradox of our times: The very technology that makes our economy so dynamic and our military forces so dominating also makes us more vulnerable."

John Tritak, director of the Commerce Department's Critical Infrastructure Assur-ance Office, says federal agencies have a vital role to play in protecting national infrastructure. "We have to ensure that the federal government's services are not compromised. What you want to prevent is the scenario of an attacker using cyber means to disrupt government services in a way that causes people to die.

"Information technology has transformed the way we live. The more reliant we are on technology to support our basic needs the more vulnerable we are to the disruption of services via cyberspace. The government has to take the lead in protecting its critical services," he adds. "It must understand how those services are delivered and how they depend on information technology."

But federal agencies only recently have begun stepping up to their defensive responsibilities. "It used to be that agencies said, 'If it's not classified then what's the big deal?'" says John Gilligan, the Air Force's deputy chief information officer and co-chairman of the Security, Privacy and Critical Infrastructure Committee of the federal Chief Information Officers Council.

Congress has grown more concerned about the looming specter of information warfare. When it comes to computer se-curity "we are barely treading water," Congressman Billy Tauzin, R-La., said at an April hearing of the House Energy and Commerce Subcommittee on Oversight and Investigations. "In this increasingly interconnected world, we're either going to prioritize our resources better to meet this challenge . . . or we're going to find ourselves in deep, deep trouble."

War Zone

Only a fine line separates the exploits of a PhantomD from the assaults of cyber warriors. "Cyberterrorism is meant to demonstrate power and wreak havoc," says Rich Stiennon, a security analyst with Gartner Group, a Stamford, Conn., information technology research firm. "Hackers do it because they can-criminals do it to gain money. Cyberterrorism is so much easier, its only goal is to find resources and destroy them."

Tom Talleur, former head of NASA's computer crimes division, now a consultant with KPMG, says cyber criminals have two motivations: "to take out the victims' ability to execute their mission or to take something of value."

The threat of information warfare grows by the day. "Countries are developing a capacity for information warfare, and the federal government needs to be prepared for that kind of attack, should it come," says Sallie McDonald, assistant commissioner of the General Services Administration's Office of Information Assurance and Critical Infrastructure Protection. Over the last decade, numerous civilian and military teams have been created to monitor government networks and react to the ever-growing number of cyber events. The Defense Department identifies thousands of intrusions into its systems every day. More serious breaches occur as well. In 1999, the Air Force, Army and Navy reported 600 attacks. In 2000, that number grew to 715.

"If the Defense Department is under cyberattack, the rest of the federal government needs to hunker down," McDonald says. "We need to prepare ourselves for this crisis-type situation by going through exercises just like the military does."

McDonald's organization is in the thick of helping protect civilian agencies. Every day, the Federal Computer In-cident Response Center (FedCIRC), part of McDonald's office, gets reports of cyber events. They analyze that information and work closely with the Carnegie Mellon University Com- puter Emergency Res-ponse Team Coordination Center, or CERT/CC, to put out alerts across the government and the private sector about new viruses and new forms and avenues of attack. FedCIRC's goal is to apprise civilian agencies of new forms of attack and to arm them with information they can use to protect their systems. The 2000 Government Information Security Reform Act requires agencies to report to FedCIRC all com-puter attacks, defacements and other such incidents.

Yet for all the emphasis on alerts and attacks, McDonald says federal workers haven't yet shouldered their critical role in defending systems. "I don't think the average office worker understands that," McDonald says. "Security is not part of civilian agency culture. I think that is one of the reasons why we are having such a hard time getting agencies to do the things they need to do to protect their systems. In DoD, security is something ingrained in the culture."

Civilian agencies got an object lesson in the foreign Internet incursions in late April in the wake of the collision between a Navy surveillance plane and a Chinese jet fighter. On April 28, just two days after the FBI warned that Chinese hackers might increase attacks on U.S. sites, Web pages belonging to the Labor and Health and Human Services departments were defaced with images of Chinese men in uniform. The Labor Department site was altered to salute pilot Wang Wei, who was killed in the collision.

Protecting Web sites is the job of security professionals, but federal workers can have immediate impact on computer security by, for example, more closely guarding their computer passwords. Passwords never should be written down or posted near computer monitors, nor should they be stored in unencrypted computer files. Passwords should be random mixes of letters and numbers, not words. Federal workers never should give out their passwords over the phone. Employees also should be aware of the dangers posed by programs downloaded from the Internet and e-mails from unknown sources, especially e-mails with attachments. Viruses traveling un-der the guise of e-mails about love or nudity have infected a number of agencies this year.

With communication lines spanning the country and the world, the Internet provides government opportunities to significantly speed and improve services while reducing costs. It also gives the Phantom-Dialers of the world much greater influence than they could have dreamed possible in a non-networked world. The online capabilities of hackers, both benign and malignant, rapidly are catching up with government's vulnerabilities.