Crime Goes High Tech

Sunday, April 30, 2000

Last December, David Lee Smith pleaded guilty to disrupting some 1.2 million computers by spreading the Melissa Virus. He said he meant to circulate "a harmless, joke message" and had no idea how much damage would ensue. But state and federal prosecutors estimated that the virus had caused at least $80 million in damages. That would make his offense one of the most costly crimes in American history. In February, some of the biggest sites on the web, including Yahoo and eBay, were temporarily shut down as the result of "denial-of-service" attacks. Such attacks occur when a simple program is sent into unsecured computers (which can number in the thousands) and later instructs them all to send a message to a particular address or addresses at a certain time on a certain date. Cyberscammers have stolen credit card numbers, attempted to blackmail financial service companies, and defrauded consumers throughout the world. Other cyberattacks with major financial consequences have occurred, and more are anticipated.

The potential danger to web sites from denial-of-service attacks was one of the topics discussed at a Hoover Institution conference on cybercrime and terrorism in December, which was cosponsored by Stanford's Center for International Security and Cooperation and the Consortium for Research on Information Security and Policy. Speaking two months before the attacks on the Internet's biggest sites, Thomas A. Longstaff of the Software Engineering Institute at Carnegie Mellon University presciently warned of the threat posed by denial-of-service attacks. Longstaff correctly predicted that such programs could enable an attacker to send fifty thousand simultaneous messages to single sites, bringing them all down with substantial damage.

The damage estimates for cyberattacks are still unscientific. Richard Power of the Computer Security Institute in San Francisco, who with the FBI publishes reports on cybercrimes, conceded at the conference that estimates are based on what companies informally report about the costs of attacks. Their estimates may therefore understate the problem. In formal filings, such as SEC-required reports, companies are reluctant to admit that cybercrimes significantly interrupt their cyberactivities or compromise the security they are trying to convince customers exists on their web sites. Even assuming substantial off-the-record exaggeration, however, the CSI/FBI estimate of total losses suffered during the last three years is quite impressive: $361 million. Attacks on public sites, including the Defense Department and other agencies, as well as on sites that constitute part of the nation's critical infrastructure, are also increasing at a rapid pace. These attacks have been less successful than attacks on private sector activities, but consider the chilling "Solar Sunrise" attack of February 1998 in which several teenagers were able to gain illegal entry into a number of sensitive computers in the United States (Pentagon and NASA) and Israel (parliament).

The Clinton administration acknowledged that cybercrime was a serious problem in May 1998 when it issued Presidential Decision Directive 63, which put federal agencies to work on cyberissues, including protection of the critical infrastructure. Some $1.5 billion is already being spent annually on cybersecurity activities.

Regrettably, the effort seems flawed in some of its assumptions and priorities. First, and most wastefully, the administration fought a long, costly, and futile battle to control the design, sale, and use of advanced encryption. Perhaps no single measure can ensure security in cyberspace more cheaply and effectively than encryption, and the government's policy greatly delayed, and is still damaging, the potential of encryption.

Currently, the administration is attempting to convince the Internet Engineering Task Force (IETF), which establishes voluntary standards for Internet protocols, to require "trapdoors" in computers so as to enable the government to cybertap (with appropriate court orders). Every technologically competent person who addressed this issue at the recent conference saw such trapdoors as eventually enhancing the ability of criminals to attack computers and reduce security.

Second, the government has failed to encourage support of "best common practices" standards for the Internet, allowing proprietary programs and narrow priorities to dominate. Peter G. Neumann of the influential Menlo Park, California, business and technology research organization SRI International called "closed" proprietary programs the greatest source of lack of security on the Internet, responsible for much greater damage than criminal actions. This danger will grow, he predicted, as government agencies adopt overambitious "highly distributed systems" to enhance the efficiency of various government-controlled operations, such as air traffic control. As air traffic in congested areas grows to even greater levels, for example, vulnerabilities in airtraffic software could put lives at risk.

Just as the best defense against chemical and biological weapons incidents is to have strong public health programs aimed at protecting against all disasters, deliberate or otherwise, so too is it essential that the information infrastructure be built on the most reliable systems available. Businesses are giving convenience, speed, and competitive challenges far higher priority than security.

Finally, while everyone in this field recognizes that the information infrastructure is inherently transnational and that defenses based on national boundaries are impractical, the Clinton administration seems to have limited its international cooperative activities to pious declarations and informal law enforcement exchanges.

Criminal law cooperation is essential but in itself insufficient. An international effort is needed that establishes legally enforceable norms for setting and implementing security standards and mandated rules and procedures for cooperation and mutual protection, as in commercial aviation. An international treaty for cybercooperation can be written, moreover, to be inapplicable to national security activities. We should, as President Clinton recently announced, be assisting friendly states currently left out of the cyberrevolution, not holding back from creating new markets for all goods and services, including our own, on the basis of nonexistent national security concerns.

Of course, it isn't just the government that is digging in its heels against truly effective security. Private sector control of the information infrastructure is a revolutionary development that virtually no one wants to see sacrificed to national, let alone international, regulation. The possibility of governmental abuse and incompetence makes an international agreement a potential disaster.

We can have security and standards in this field, however, without surrendering private control. The multilateral treaty tabled for consideration at the conference would preserve the IETF as the world's standard-setting body for the Internet, working within a voluntary, unpaid structure of private experts. For perhaps the first time in human history, an international regime could be established that is controlled by private sector forces.

No one can guarantee that, once set in motion, an international effort to enhance cybersecurity might not lead to government control and a lessening of freedom. But think about it. Right now, private forces control the action and could prevent anything undesirable. Wait a few more years, and government officials will have established many trapdoors and increased their influence, if not control. The responsible thing to do is to move now to give legal stability to the current, private, standard-setting regime, with just enough government backing to ensure that the public is protected against both crime and technological inadequacy.