Cybercrime 'much bigger than al Qaeda'

Security experts confirm concern outlined by DHS Secretary in recent speech

It is unlikely that Americans will ever again see commercial jets crashing into skyscrapers, piloted by terrorists. But Department of Homeland Security (DHS) Secretary Janet Napolitano believes that malicious computer code generated by groups like al Qaeda are just as big a threat to the security and stability of the nation.

Does that mean that we are at war with cyberterrorists? Napolitano doesn't go that far -- she uses the term "cybercrime," as do a number of cybersecurity experts.

Still, the damage worldwide is headed toward a half-trillion dollars a year. Napolitano, in a speech May 30 to business leaders and government officials, said that besides "al Qaeda and al Qaeda-related groups," cybercrime is, "the greatest threat and actual activity that we have seen aimed at the west and at the United States. Unfortunately, it is a growth arena."

"Our cybersecurity as a country is inextricably linked to our economic capability," she said. "The systems we use are interdependent, interconnected and critical to daily life in the United States. Communication, travel, powering our homes, running our banking systems -- these are all interconnected systems."

Napolitano cited a study by Symantec's Norton that estimated the cost of cybercrime worldwide at $388 billion -- more than the global market for heroin, cocaine and marijuana combined, and said, "I think those are conservative numbers, based on the things that come into DHS."

But the U.S. is not just on the defensive. Napolitano's speech came just two days before The New York Times, citing anonymous sources in the Obama administration, reported that the president had secretly ordered the use of the Stuxnet worm to attack the computers that run Iran's main nuclear enrichment facilities.

The Times reported that this was in collaboration with Israel, and was the continuation of a program code-named Olympic Games, started under President George W. Bush. The attack is estimated to have set back the Iranian nuclear program by as much as two years.

Attacking another nation-state's potential military capability may sound like an act of war to some. Joel Harding, a former military intelligence officer and now a communication and public diplomacy information operations expert and consultant, wrote in a blog post shortly after The Times' story, "It's official. The United States of America was the first to use an atomic bomb against an enemy and now the United States is the first to have acknowledged using a cyber weapon against another country. We are now certified bad guys to the rest of the world."

"To whoever leaked the information from the Obama administration, for whatever purpose, you have now doomed the United States to a terrible legacy forever," he wrote.

David Jeffers, writing for PCWorld, called malware such as Flame "the Internet equivalent of biological warfare."

[See also: Flame self-destruct module overwrites file data to prevent forensic analysis]

But Harding told CSO he does not think this means the U.S. has started a cyberwar. "There will never be a pure cyberwar in my opinion," he said. "There will be operations in cyberspace but they will always be in support of other actions. By itself warfare in cyberspace cannot conquer an enemy. The effects will normally be temporary and probably not physical in nature."

Still, he said the admission taints the U.S. in the eyes of the rest of the world. "It is a challenge to maintain a high moral position if we are the first to acknowledge the use of such a weapon," he said.

Other security experts also say that "war" is the wrong term. Bruce Schneier, chief security technology officer at BT and an author, said that "throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."

Marc Zwillinger, of the Washington, D.C. law firm ZwillGen and a specialist in cyber conflict calls them "cyberattacks," and said he doubts the U.S. was the first nation to use them. "Our government, government contractors, and ISPs have been pummeled for years," he said.

Whatever the semantics, there is unanimous agreement that the attacks are doing enormous damage.

"Cybercrime is a really big deal," Schneier said. "Much bigger than al Qaeda, which has basically been a fairy scare story since 9/11."

Zwillinger said: "It's something to take very seriously. It's not that hard to undermine our economy and cause lasting effects. How long was the Facebook trading glitch that is being blamed for a lot of uncertainty and panic in the trading of one stock?"

"United States corporations lose billions of dollars in research to cybercrime and espionage every year," Harding said. "Now imagine these efforts [aimed at] national security products. Not only do we lose intellectual property and de facto our investment dollars, but we may have a national security problem."

Another problem with cyberweapons, as a number of articles have pointed out since the discovery of the Flame virus in the Middle East (an espionage tool mainly targeting Iran) and the revelations about Stuxnet, is that they can boomerang, unlike bullets or bombs. Richard Lardner reports for The Associated Press that "a cyberweapon that spreads across the Internet may circle back accidentally to infect computers it was never supposed to target. It's one of the unusual challenges facing the programmers who build such weapons, and presidents who must decide when to launch them."

[See also: U.S. companies, government not likely burned by Flame]

Finally, whether it is cybercrime, cyberattacks or cyberwar, the U.S. seems woefully unprepared for it at some levels. The Washington Post's Robert O'Harrow wrote earlier this week of stunning vulnerabilities U.S. infrastructure. He profiled programmer John Matherly, now 28, who as a teen developed a search engine he called Shodan, and by 2009 discovered "an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers."

"Over the past two years, Shodan has gathered data on nearly 100 million devices, recording their exact locations and the software systems that run them. 'Expose online devices,' the Web site says. 'Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones,'" O'Harrow wrote.

The story also told of a 22-year-old hacker from somewhere overseas who was able to hack a Siemens S7 controller and gain control of a water plant serving 16,000 people in South Houston.

Harding said he doesn't know the status of most critical infrastructure. But he said he's "certain that many, if not most are not fully updated, do not have adequate monitoring or protections, have inadequate contingency plans and are unnecessarily exposed to the Internet, and are therefore vulnerable."

"It is too expensive to unhook completely from the Internet, but that decision must be accompanied by diligent efforts to mitigate any vulnerabilities," he said.

Zwillinger said, however, that most nation-states will likely limit their attacks because they still fear the military might of the U.S. "While our critical infrastructure is vulnerable, would-be attackers are hesitant to launch a full scale attack knowing that the U.S. would respond, 'using all instruments of national power,'" Zwillnger said, citing a line from Securing Cyberspace for the 44th Presidency, a report by the Center for Strategic and International Studies.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)