Is computer crime a fundamentally new phenomenon, a new approach to the work, much like Islamic terrorism? And are we defending ourselves using the obsolete tools and the attitudes of another age?
As you no doubt know, this week saw the latest attack on the world's computers by a virulent and fast-moving virus. It has crashed Microsoft 2000-based computers in the United States, Germany and large portions of Asia. Particularly hard hit have been many of the big Mainstream Media institutions in the U.S., including CNN, ABC and the New York Times, as well as Caterpillar tractor, and some non-critical machines at San Francisco Airport and a few offices on Capitol Hill.
This bug appears to be of the "worm" type, likely related to the Zotob worm first discovered and announced last weekend (which itself seems to be a variant of the new "worm-rbot.cbq" worm). This type of virus, according to Johannes Ullrich of the Florida network security firm Sans Institute, "will connect to a control server to ask for instructions. It scans network neighborhoods and tries to infect them as well."
Microsoft has already announced a patch for this worm, but an attempt to open the Web page Wednesday morning resulted in failure. Nevertheless, thanks to its new automatic security update service, Microsoft estimates that 200 million PCs around the world have already downloaded the patch.
It remains to be seen whether this new worm will do as much damage as last year's Sasser worm, which crashed millions of computers worldwide. New protections and stronger firewalls may limit the damage this time … but as we all have learned over the years, every new advance in computer security is merely a challenge to hackers to figure out how to breach it.
Hackers Are Basically Computer Terrorists
That brings me back to the two questions that began this column. Increasingly, I am struck that there are distinct parallels between hackers and terrorists. Both are essentially powerless people who believe that they are superior to everyone else. And both are furious that, for some inexplicable reason, history has turned against them and showered its favors on the suits/infidels. The only answer, then -- one that will punish the nonbelievers and reward the Illuminati with fame (or notoriety) and power -- is to destroy the greatest institutions of those history has favored. Only then will the unbelievers (and the insufficiently committed) appreciate just how superior the Illuminati really are.
But, since those favored by history have the money, the people, the institutions and the tools, the only way for the powerless to fight is by being the antithesis of their enemy: unstructured, unpredictable, operating in violation of accepted rules of engagement, targeting noncombatants, never meeting the enemy face to face.
As we now know, one of the unpredictable advantages of such a strategy is that the established, comfortable enemy takes a very long time to even see the nature of the threat, to try to assert rational principles on what are, in fact, irrational acts. We probably would have put up with acts by al Qaeda, like the Nairobi embassy bombing or the attack on the USS Cole, almost forever as long as they were long enough apart, far enough away, and killed few enough people.
It was only the sheer proximity and the monstrousness of 9/11 that roused us out of our inertia and forced us to realize that we not only had to answer this ongoing attack, but find fundamentally new ways of doing so. Whether or not you agree with the strategy he chose, President Bush should be credited with recognizing that, faced with this new threat, the old solutions (like isolating or ignoring most of the Middle East) no longer worked.
It goes without saying that Islamofascists and hackers have very different goals. The former have publicly stated that they want to establish a global Caliphate, and are willing to kill millions, even billions, of nonbelievers to get there. Hackers, by comparison, appear to merely want the respect of their peers and the fear of everyone else, and are willing to cripple or destroy the various structures and artifacts of modern civilization -- and perhaps kill a few incidental bystanders -- to get there.
It isn't idle speculation then to suggest that the mistake we made with Islamic terrorism in the 1990s is precisely the one we continue to make with computer crime. Like the federal government, the computer industry made a wrong turn many years ago -- in the case of computers, during the great mainframe era of the 1960s -- and has been trapped in a particular security paradigm ever since. This paradigm didn't really fit back then, and is utterly inappropriate now; but unfortunately, the entire industry is built around it, giant companies have been built to market it, and everyone is trapped in the false hope that the fatal flaws can be fixed with an endless array of new "patches."
Are Firewalls Still Effective?
What is that failed paradigm? It is the notion -- again, dating back to the days when Pharisee-like IT managers controlled the physical access of users to giant mainframe computers -- that the best way to protect a computing environment from destructive intruders was through a static "perimeter" defense, which back then was through employee badges and user ID numbers, and today is through so-called software "firewalls."
Time has taught us the many weaknesses of this model. For one thing, once an agent gets through the walls of the fortress, he or she has free rein to do any amount of damage inside. Second, it doesn't protect the system from people already inside (like the homegrown London bombers). And, most important, what happens when the fortress is so vast and so populated -- like the Internet -- that you don't know where to put the walls?
This has been the situation faced by the IT world over the last two decades. And, as with homeland security during the same era, it responded by trying to enhance its existing techniques -- thicker firewalls, more firewalls, more passwords, faster patching. When all of that failed, it added the equivalent of sending out nightly patrols (antivirus scans) to look for crimes in progress.
Did it work? Kind of. But only just well enough to keep the damage level beneath that threshold of pain where users (like the citizenry with terrorism) saw it merely as a nuisance, or even an act of God.
Looking for New Solutions
And that's where we are today. This week's worm, even if it causes a lot of damage, is far enough way from last year's Sasser worm that we won't see the two as anything more than slightly connected. And the next virus will be the same, as will the one after that. Meanwhile, corporate IT directors, the folks typically in charge of computer security, will be able to ask for more money for new versions of the same old "solutions" because all that is asked of them is that they match industry "best practices" regarding security and never let the company computers and networks take any more damage than the competition.
And that will be enough this time … and the next time … and the time after that. But out there, someday, likely sooner than later, is a catastrophe, a 9/11 of the Internet world. It might even be some hackers in common cause with al Qaeda -- after all, nihilism and absolutism are never that far apart. I don't want one of my kids riding in a bus to school when all of the traffic lights turn green, or have one of my relatives in surgery when the patient monitoring systems start spitting out false data, or have my life savings disappear in the wink of an eye.
And when that catastrophe comes, the recriminations will be vicious. How long do you think it will take before some smart law firm figures out a way to pierce Microsoft's third-party contract and bring a class action lawsuit for billions of dollars in lost productivity by millions of Americans (not to mention hundreds of wrongful deaths) because of 20 years of negligence on the company's part regarding security? How long will it take for us to pull out of the resulting economic collapse? How long will it take for e-commerce, now a cornerstone of our economy, to recover?
Only then may it become obvious that we have entrusted our lives and fortunes to a security system that no longer worked, that there were better alternatives right before our eyes, and we were too blind to see them.
Changing the Paradigm
By coincidence, on the day the new worm virus hit, I was, of all places, on the southern coast of Oregon, sitting in a house on a rock that juts into the Pacific Ocean, talking to a group of entrepreneurs from Amarillo, Texas. The entrepreneurs, whose company is called SAGE, described for me a very different kind of computer network security -- a dynamic process it called Process Based Security. PBS is a more dynamic security apparatus that gives users access to applications only, not to the entire system (they call it "default denial"). The SAGE folks not only claimed that their system was far more impervious to hacks than traditional security systems, but even protected information appliances outside the corporate firewall.
Does PBS work? I'm not expert enough to know. But I do know that some federal agencies have quietly implemented it on some of their networks and servers. I also know that the SAGE folks have been frustrated in most of their attempts to get any response from major corporations. Even IT executives who like SAGE's product admit that their jobs are more secure if they conform with the industry standard, no matter how flawed.
But most of all, what I know is that SAGE is at least trying something different regarding data security; trying to change the paradigm. So are a number of other innovative young firms out there. And right now none are getting much traction in corporate America.
And even if they do, it will take much more to protect us. As with Islamic terrorists, it will take a fundamentally new approach: offensive, rather than defensive; fluid rather than fixed; adaptive rather than rigid; and one that attacks the very cultural roots of the problem, rather than waiting for the immediate threat to become manifest.
That will mean serious government initiatives aimed at destroying the culture of computer crime, corporations held culpable for their security negligence, juries that deliver sentences far more punitive than the 21-month suspended sentence given by a German court to the Sasser creator, and most of all, consumers who demand the most effective data security as part of their purchasing decisions.
Until that happens, the timer is ticking …
This work is the opinion of the columnist and in no way reflects the opinion of ABC News.
Michael S. Malone, once called "the Boswell of Silicon Valley" most recently was editor at large of Forbes ASAP magazine. He has covered Silicon Valley and high-tech for more than 20 years, beginning with the San Jose Mercury-News as the nation's first daily high-tech reporter. His articles and editorials have appeared in such publications as The Wall Street Journal, The Economist and Fortune, and for two years he was a columnist for The New York Times. He has hosted two national PBS shows: "Malone," a half-hour interview program that ran for nine years, and in 2001, a 16-part interview series called "Betting It All: The Entrepreneurs." Malone is best known as the author of a dozen books. His latest book, a collection of his best newspaper and magazine writings, is called "The Valley of Heart's Delight."