It is often said that generals always prepare to fight the last war. A risk that is anticipated and planned for can usually be averted. It is the unplanned-for risks that overwhelm us. The appearance of professional Internet criminals was predicted in fiction long before the Internet became a mass medium. During the early years of the Web, we spent a great deal of time and energy looking for ways to defeat the professional thief. The mischief maker, the prankster, and the juvenile delinquent were overlooked.
Then a group of hackers cracked the Web site of the CIA.
The attack did not result in the loss of classified information, did not disrupt the work of the agency, and did not threaten the critical infrastructure. Nevertheless, the damage to the agency’s reputation was considerable. In the 1960s and 1970s, a standard move for the plotters of a military coup was to take over the national television and radio stations. A group of teenage vandals had managed the cyberspace equivalent.
As the overlooked risk became the concern, the anticipated risk was forgotten. Companies building Web sites learned to think of Internet security in terms of protecting their brand from embarrassment. Users learned that they could use the Internet without concern for their own security because government regulations make financial institutions such as credit card companies responsible for risk.
Meanwhile, the Internet became an increasingly important part of the economy. When asked why he robbed banks, Willie Sutton replied, “That’s where the money is.” Today the Internet is where the money is—lots of it—and the Willie Suttons of the Internet have been busy finding out ways to direct some of that money into their own pockets.
Organized crime rings operating out of Eastern Europe, Russia, Nigeria, and Boca Raton, Florida, are using the Internet to steal hundreds of millions of dollars per year. Their methods include confidence tricks, consumer fraud, and extortion.
By the time the professional cybercriminal finally appeared on the scene, security experts had learned to avoid suggesting money as the motive for an attack. As far as the press, the public, and most customers were concerned, Internet security was almost entirely a problem of juvenile delinquency, and anyone who suggested otherwise was engaged in scare-mongering.
The only Internet security problem that could be acknowledged was teenage hackers whose amazing technical skills were matched by a complete lack of social skills. According to the carefully constructed media image, these hackers scoffed at the notion of monetary gain, being interested only in bragging rights. Their attacks were launched to gain an ephemeral fame, or as Andy Warhol might have put it, to be famous for 15 mouse clicks.
The term hacker is a somewhat controversial one in the industry, and some people still try to insist on the original definition, which is a prankster looking for some harmless fun. The term hacker was coined at MIT, where “hacks” have been a part of university culture since long before the first electronic computer arrived on campus.4 Shortly before I arrived at MIT, a police cruiser appeared on top of the great dome above the main MIT entrance. On the centennial of the Wright brothers’ first flight at Kittyhawk, a model of their biplane appeared in the same place. The opening of Star Wars Episode One was greeted by turning the dome into the head of the droid R2D2.
The hacker culture played a major part in the early development of the computer. Many of the most important developments in computer science began as “hacks,” including Space War, the first computer game, and Internet e-mail.
In The Hacker Crackdown, Bruce Sterling traces this new hacker culture to the phone phreak culture that surfaced on the West coast of the U.S. in the mid 1970s. The phone phreaks played pranks on the telephone system and occasionally managed to find ways to make a free phone call. Born of the era of flower power, protest, and the summer of love, the phone phreak culture has much more in common with the MIT culture than either had with the new hacker culture. In those days Ma Ball was the telephone company and fairly regarded as a part of the “system”--fair game for anything the phone phreaks might throw at it.
The hackers of the 1990s took their name from MIT, their language from the West coast phone phreaks, and their moral code from schoolyard bullies. Some were precocious in their technical skills, but few unusually so. The computer world has always been dominated by those who learned their craft at 12 and became masters before they left school. The fact that an idea is new does not mean that it must be difficult.
Many computing problems require little more than patience and eidetic memory and are thus a good match for the juvenile mind. We have all met 12-year-olds capable of prodigious feats of memory such as reciting the batting averages of every member of the Boston Red Sox or the results of every match ever played by Neasden United. Why should it be such a surprise that there are 12-year-olds who can recite a list of technological trivia?
As the Internet grew, it became a place where victims of schoolyard bullying could quickly aspire to become bullies themselves in an environment where their victims had no opportunity to retaliate. Hacking was quite easy when all you needed to do was to surf to a Web site, download some tools, and fire them up. Becoming known as an expert in this type of hacking did not require skill or expertise, only malice and good public relations work.
Social engineering is a type of confidence trick used to persuade the target to ignore his better judgment. Many of the newstyle hackers were first-class social engineers, able to wheedle out pieces of information simply by pretending to be someone else. It should be no surprise, therefore, that so many journalists reported without question the claims made by these selfdescribed con artists. Balanced reporting of hacker attacks had to wait until several years later when journalists became aware of the victim’s side of the story.
The Internet was designed by a small circle of academics largely for their own personal use. Security, such as it was, followed what we would now call a perimeter model. To get access to the Internet, you had to first be granted access to one of the few computers connected to it, each of which cost as much as a house. Anyone caught misbehaving was liable to be banned from using the machines. Users of the primordial Internet were accountable for their behavior through peer pressure and responsibilities to their coresearchers. As a last resort, an issue could be referred to the university proctors.
As the Internet expanded beyond a small core of elite universities, accountability began to break down. The network had expanded to the point where a problem could no longer be traced to a source, and even if the individual responsible for an issue could be identified, addressing the matter would take much more than a telephone call to the department head.
Between 1993 and 1996, several factors converged to transform the Internet from a purely academic resource into a global mass medium. The most visible of these factors was the World Wide Web, which for the first time made the Internet accessible to users who were not prepared to navigate arcane and obscure user interfaces. Equally important, however, was the second factor: the transition from being a U.S. government–funded research project with a prohibition on commercial use to an open infrastructure where commercial use was encouraged.
A third factor was the commercial failure of interactive TV, a scheme whose rather too obvious premise was that turning the television screen into a 12-foot wide electronic billboard in the center of the living room and adding a buy-now button on the remote control would make a fortune for cable operators, particularly if it replaced the shopping mall. When the would-be hyperconsumers showed a complete lack of interest in this scheme, its backers suddenly found the need to find an alternative technology in which to funnel the vast sums earmarked for investment in interactive TV. Thus was the great dot-com boom begun.
The effect of these changes was that the Internet lost the accountability mechanisms that had limited malicious acts when it was a purely academic resource at the same time that the Web was becoming increasingly prominent in the mainstream media.
Web commerce was still in its infancy, there were few targets for the money-minded hacker, and, in any case, it was clear to almost everyone involved in the emerging Web that it would be much easier to make an honest fortune than a dishonest one.
Security specialists tend to worry most about the issues they are paid to worry about. In this period, the companies paying people to worry about Internet security tended to be companies involved in selling through the Internet, transferring money, and so on. Companies whose Web sites did not involve money often overlooked the fact that they had staked an even more valuable asset: their brand and reputation.
Defacing Web sites became something of a hacker sport, particularly when the hackers realized that a successful attack against a high-profile target could result in national publicity.
The defenses constructed by security specialists were like a shark barrier constructed by a town that finds nobody is visiting the beach because of the wasps. A hundred thousand script kiddies with no real skills using ready-made attack tools were causing so much mayhem that the activities of any professional criminals were lost in the noise. With attention focused on the wasps, the shark problem was forgotten.
It is often claimed that Internet security is an oxymoron, a contradiction in terms. In fact, the record shows that the industry has been effective at controlling security risks when it has put its mind to doing so. The problem has been that we have often been unsuccessful at persuading the industry to take risks seriously until after the criminal activity has become widespread.
No Professor Moriarty
Fictional cybercriminals are sophisticated types. They steal large sums of money from international banks that, in the Hollywood versions at least, appear to spend more on spiffy graphics than reliable security systems.
Cybercrime is a term that I dislike. The future has no prefix; telephone becomes phone, e-mail has only a tenuous grip on its hyphen, and will in time become simply “mail.” More importantly, a word that bears the cyber prefix sounds like science fiction, not everyday life, which was, of course, William Gibson’s intention when he coined the term to give his science fiction novels a sense of the future.
The term cybercrime has become a liability. It encourages an image of an elite criminal adversary with the cunning of Sherlock Holmes’ nemesis Dr. Moriarty or James Bond’s Ernst Stablo Blofeld. James Bond has to single-handedly defeat a fresh megalomaniac bent on world domination in every film. This leads us to forget the fact that Ian Fleming, the creator of Bond, was a real-life spy and spymaster in a real war against Adolf Hitler, a real megalomaniac who had attempted to realize his goal of world domination by brute force rather than cunning.
Real Internet criminals usually prefer to avoid the sophisticated state-of-the-art security systems that protect the internal systems of the major banks. They attack the system at its weakest point, where security is almost entirely outside the control of the bank: the customers.
The methods of the professional criminal are chosen for effectiveness rather than subtlety. The methods may be clothed in numerous disguises, but in the end, the schemes they use are ages old, dating back long before the invention of the Internet, in the case of the 419 advance fee fraud, to the Middle Ages. Like a mountebank’s shell game, the schemes appear complex if you spend your time watching the movements of the cups but simple if you know that the ball was never under the cups at all.
Sophisticated schemes usually require inside knowledge and are thus self-defeating because the number of suspects is comparatively small. Schemes that lack sophistication might stand less chance of success, but that does not matter to the Internet criminal who can program a computer to perform a million attacks for him simultaneously.