Frequently Asked QuestionsLinksContact Us
The Socrates Institute  
The Socrates Institute
About UsClass Room CurriculumProfessional DevelopmentLessonsResearchNews and Eventssponsorshow to contribute

RESEARCH

Radnofsky, M. (2006). "Corporate and Government Computers Hacked by Juveniles." The Public Manager 35(3), pp. 50-55. (http://www.socratesinstitute.org/research/Hackers.html)

Corporate and Government Computers Hacked by Juveniles

by

Mary L. Radnofsky, Ph.D.
The Socrates Institute


Your government computer is probably being targeted for a hack right now. There's a good chance the hackers are teenagers. There's also a good chance they'll never be caught. And they know it.

Imagine a teenager in his pajamas at the computer in his bedroom at 3 a.m., absorbed by the challenge of hacking into the Pentagon. And then, finally, he comes across a list of thousands of emails from top military brass with cool subjects about different "operations." There, appearing on the screen before his eyes, are the names and passwords of over a dozen US Department of Defense (DOD) employees. He could be the proverbial fly on the wall at DOD, listening to bio-weapon experts at the Defense Threat Reduction Agency. Yeah, he'll get to that tomorrow night. OK. Save. And maybe in a week or two, he'll get to that high-security software for the International Space Station on the National Aeronautic and Space Administration's (NASA) network. But it's 4 a.m. and there's school tomorrow. Bookmark. Shut down.

Seem unlikely? It happened. Yes, this case was "way back" in 1999, when most people hadn't realized the transparency of computer communication. Except, well, many had. So today in 2006, why are there even more of these cases? Thousands of computer intrusions? Millions of identity thefts? And $67.2 billion lost to cyber-crime last year? The lesson begins two decades ago.


First Hacker Caught - The Germans Learned Their Lesson. But Did We?

The year was 1986. One lone American astronomer, who fiddled with computers during his research, discovered a financial discrepancy of seventy-five cents. From that, he followed a trail of computer hacks over several years, eventually convincing the FBI, military, international security and law enforcement agencies to pursue a computer criminal for the first time in history. In Germany, a college student had gained access to hundreds of computers on Milnet and Arpanet, the US military versions of today's Internet. The hacker downloaded data from our Army bases in Germany, Japan, Alabama, and Georgia, from Air Force bases in Germany and California, from Navy systems in Florida, from the Pentagon, from the Jet Propulsion Lab, from an MIT computer, from the Lawrence Berkeley Lab, and from other defense contractors.

Who else had seen the thousands of secret files that a German college student (dubbed the "Hannover Hacker") had been stealing for years? How does one measure the consequences of unveiled defense strategies, proprietary software, and military identities? Perhaps the more recent, though individual, case of Valerie Plame's lost cover can illustrate this point for us today. We won't know how bad things are until something happens based on the lost intelligence. That could be tomorrow or in two months. Hackers are patient, and sometimes wait years before acting on stolen information.

So since 1986, Germans have become the best enforcers of IT security in Europe. Here in the US, however, we are still struggling with postponed legislation (HR 5835), unclear and unevenly enforced laws, and, worst, the battle to convince ourselves that the problem of computer intrusions is in fact a very big deal - not just to industry giants, but to every government agency, school, and home.


The Current State of Cyber-Crime

Twenty years after the Hanover Hacker, we not only still have these types of hacking crimes, but a plethora of even more creative ones, despite the genuine (and expensive) industry and government attempts to secure computer networks. Cyber-crime is, of course, global. Although attacks come from all over the world, twenty-six percent start in the US, followed by China with twenty-four. Many such crimes are committed by students - not because they really want state secrets, but just to prove they can do it. Many more do it for the millions of dollars they can generate through extortion. First they demonstrate they have access, and then threaten to shut down a company's website for a day. So the company pays them not to make a denial of service (DoS) hack, and the cyber-criminals get paid time and again.

The most common type of computer crime is "merely" a virus (eighty-four percent of respondents in a 2005 FBI survey said they had experienced at least one), which has high nuisance and economic consequences. But more menacing, and almost as pervasive, are spying incidents (eighty percent also dealt with this). In fact, spyware's legitimate function to help track your child's computer use, for example, makes it freely available on the Internet.

Other problems in cyber-crime include such recently-publicized problems as cyber-stalking, cyber-pornography, child predators, illegal downloading of songs and movies, and software piracy. In addition, a 1999 Rand publication stated that Al Qaeda "appears to have widely adapted information technology," and was building a terrorist "communications network that relies on the Web, e-mail, and electronic bulletin boards." Cyber-terrorism was born.

Other examples of cyber-crimes include the following:

  • In 2000, a disgruntled worker in Australia hacked into a waste management control system and released millions of gallons of raw sewage into town.

  • In 2001, two post-graduate students cracked into a bank system used by the US Treasury Department for Internet transactions, and then generously told the world how they did it.

  • In 2003, an 18-year-old who considered himself a gray hat hacker (see sidebar) was arrested for spreading a variant of the "Blaster" Virus, which had infected or shut down millions of computers worldwide. A year later, the Blaster's original creator was also caught. (Update: spam and junk mail now account for seventy percent of office email, and one in thirty-six such emails contains a virus.

  • In 2005, Chinese hackers penetrated US government networks and stole military secrets, including future command and control documents.

  • In 2005, the ID theft of 33,000 Air Force officers from a computer at Randolph Air Force Base resulted in the loss of their Social Security numbers, birthdates, and other confidential data. In 2006, the personal information of 26.5 million US veterans and 2.2 million active service members was lost when a laptop with the data was stolen.

  • Also in 2006, hundreds of thousands of US and European bankcard numbers and PINS were stolen. Bank accounts were looted, and people lost their life savings. Think Enron losses, and multiply by one hundred.


The Basics of Cyber-Defense - Slow the Flood, Verify Security Measures

So what's a company or agency to do? Money helps, of course, but despite billions of dollars spent annually on security, there is still an increase in the frequency of computer crimes, many of which may sound like a foreign language to you: There are, as briefly mentioned above, DoS attacks, viruses, malicious code, spying and key-logging. In addition, we now have worms, trojan horses, botnets and zombies, packet-sniffers, war-driving, pharming, spear phishing, and controlling real-life vital services and utilities such as sewage plants and power grids to entire cities. Yes, hackers can actually disrupt and endanger our personal and professional lives in concrete ways. Phone service can be interrupted; traffic signals can be changed; harassing and threatening emails can be sent in your name.

Let's say, though, that your budget doesn't include billions of dollars for IT (and even if it did, would it want to be constantly on the defensive against computer attacks?). In that case, different solutions are needed, because hackers are persistent. They will "knock at the back door" of your network not just for hours, but for months, or years. Maybe the old software used to keep them out. Double check, though; they may now be in.

So it almost goes without saying that you must install and activate all security hardware and software - and do so correctly. Let's assume you have firewalls and other security on your system. You probably still experience dozens, maybe hundreds of computer intrusions daily, especially spam with viruses or worms. And what about the bots or malcode that were left behind? Your spam-blocker may have slowed the flood of emails, but it didn't clean out the system. Anti-virus software was installed to run continuously on all employee computers, of course, but it's worth verifying that no one has disabled any of the security measures, which commonly interfere with many programs, and so are frequently "temporarily" disabled. Often, in good faith, the employee intends to re-enable it, but forgets. Other times, it is a conscious choice by dedicated employees to keep it off, because it slows down their productivity. In either case, the damage is done.

Let's also assume, though, that as a dedicated manager, you've sent out positive memos reminding people to follow security procedures. Maybe that's all you've been allowed to do. It's been difficult to enforce cyber-security procedures in the office or with subcontractors, even harder to find leaks, unclear as to how to punish for noncompliance, and vague as to how to deal with actual loss (financial, identity, property). Compliance is still mostly voluntary, with no single government standard uniting them. Until now.

Pending Legislation May Help Enforce Cyber Security Compliance

HR 5835, the Veterans Identity and Credit Security Act of 2006, (proposed following the veterans' ID thefts), has been approved by the House Veterans Affairs Committee as of this writing, and could be signed into law this coming session. The bill, if enacted, would give chief information and security officers the power to enforce cyber-security policies "to the extent determined necessary and explicitly by the head of the agency."

This bill is significant because prior legislation (the 2002 Federal Information Security Management Act, FISMA) was criticized for not having given that power to CIOs, leaving them only able to make cyber-security recommendations. HR 5835 would establish federal standards to notify and provide credit protection services for cyber victims, and enforce instant warnings to Congress or other federal offices impacted by security violations. A controversy now exists as to whether agency undersecretaries or their IT departments should ultimately have IT security enforcement power.

At this point, maybe you're saying that the few intrusions into your network have been fairly innocuous - a few redirected web links to a porn site, or some fake e-mails. But they can escalate in the punch of a key. If someone has the access to send fake emails, they may also be able to read all of yours, and everything else on your hard drive.

Hackers have created an international community that openly shares malicious code, cracker programs, how-to-hack articles, books, workshops, and sites on the Internet and at national conventions. Frequent postings on hacker blogs publicize specific weaknesses in commonly-used applications. Code-specific hacking instructions are accompanied by a disclaimer, "for educational purposes only," but names have been named and weaknesses revealed, making entire networks - government and private -vulnerable to attack.

So even though there is hope that agencies will be able to protect the cyber-infrastructure with new laws or hardware, it may still seem that you have very little control over your own department's computer security. And if you think about the sheer number of human sources as potential data leaks, your control seems even more limited. Cause to worry.

Now, added cause to worry: international cyber-criminals are increasingly linked to organized crime. And as cyber-security software and hardware improve, IBM notes "it is anticipated that many of these criminals may target the most vulnerable access point within a company or organization - its personnel - to execute an attack."

In fact, however, and despite the outcome of pending legislation, you actually have as much power with a few well-executed leadership decisions as with your arsenal of cyber-defense measures. There's no physical warehouse to storm, no getaway car to outrun, and no clear-cut bad guy to catch. You have to outwit this enemy, and on his turf. That means education. You have to teach everyone else how to outwit him, too. It all comes back to learning a lesson. Call it training. Call it professional development. Call it continuing ed. Just make sure that the receptionist learns it as does the boss.

Increase Cyber-Security through Education

One agency that has taken an aggressive stance in educating its personnel is DOD, which has developed computer security simulations. They regularly put computer trainees through network attack exercises to learn to thwart actual intrusions.

In fact, the Annual Cyber Defense Exercise (CDX) is the ultimate National Security Agency (NSA) cyber challenge, with the military to educate future officers in the art and science of computer network security. In a simulated military operation, teams of cadets and midshipmen defend a closed computer network they designed, built and configured. Such cyber education is officially acknowledged as essential to this country.

So shouldn't all agencies, businesses and schools be just as dedicated and allocate just as many resources to educating their own communities in the secure, legal, safe, and ethical online practices? The Socrates Institute, a non-profit educational organization founded by this author, certainly thinks so. We began building a cyber-ethics curriculum for schools in 2003, but the problems of cyber-crime had not yet sufficiently caught the public's eye. And since no state department of education required any type of cyber-safety, cyber-security, or cyber-ethics instruction in schools, the federal government did not yet see the need for it either. That's all changing now.

The US Department of Justice (DOJ) Computer Crime and Intellectual Property Section Web site states that "Some individuals exploit the power of the Internet for criminal or terrorist purposes. We can minimize the harm that such individuals do by learning ourselves, and teaching young people how to use the Internet safely and responsibly."

The Federal Energy Regulatory Commission (FERC) requires online courses for employees, managers, and technical personnel to "minimize disclosing sensitive information," and to "teach caution using the web/Internet media."

At the state level, Virginia enacted a new Internet Safety Law on March 7, 2006. Merely distributing acceptable use policies has not been effective. The law now has a provision to "include a component on Internet safety for students that is integrated in a division's instructional program." In the business sector, Symantec puts its employees through an ethics training program not just once, but yearly and supports Virginia's initiative in protecting children online through classroom instruction. They also add that, "As part of a safety program, the Virginia Department of Education should be looking holistically at Internet safety to incorporate cyber security and cyber ethics as well."


Three Aspects of Cyber-Crime Education

These three aspects of cyber-crime education (cyber-safety, cyber-security, and cyber-ethics) form the foundation of the annual C3 Conference at the University of Maryland. The organizer, Dr. Davina Pruitt-Mentle, speaks to its educational focus: "We can use many materials out there in schools, but cyber-ethics, cyber-safety, and cyber-security education won't make an impact until it's fully integrated throughout an entire state curriculum. It can't just be an add-on or a school assembly. It needs to become ingrained into everyone's daily routine."

Emphatically, The Cyber Security Industry Alliance states that, "What is missing here is a focused and organized national effort to teach children cyber security, cyber ethics, and cyber safety with national security in mind." In addition, "it is incomprehensible that we are not teaching cyber security, ethics, and safety at an early age. Poor awareness by children about cyber security may ...ultimately threaten the fabric of our nation's critical cyber infrastructure."

Not surprisingly, one other community also agrees on the importance of cyber crime education. Computer hackers themselves seized the Internet long ago to build a following, create gangs, and challenge each other. As a result, we are dealing today with the somewhat chaotic cyber-culture they built. But as with any culture, this one must evolve in order to survive.

International cooperation in criminal cyber-activity is already underway (the Senate has finally ratified the Council of Europe's 2001 Convention on Cybercrime, making us the sixteenth of forty-three countries to sign). While the treaty sends the signal that we are building a united front to pursue cyber-criminals, it is up to leaders in the cyber-culture to re-establish a united set of values (admittedly an extremely difficult task), and create a common link between what are now tragically disparate nations, at several levels.


Changing Cyber-Culture through Education

Anyone in your office with access to an electronic communication device (from a cell phone to a fax or podcast) risks opening your network to hackers. It doesn't have to be a high-tech piece of equipment either. Information leaks have been happening without laptops for centuries through "Social Engineering." But there are ways to minimize these risks.

So how do employees deal with the cyber-culture in which they work eight hours a day? They make up the rules as they go along. Yes, really. As a result, the cyber-world has as much the freedom, excitement, and danger as the wild-west. But as the Internet reaches a critical mass of users who demand safe, ethical, and secure interactions, it also moves closer to creating a more civilized society.

To facilitate that move, people need to learn why they must implement certain security protocols, why following one procedure cannot replace all the others, why certain online activities interfere with security, why verifications, back-ups, passwords and firewalls are all needed, etc. Mostly, though, they need to know why each and every person should bother with all that even if they are "just" a receptionist or "even though" they're the boss.

It's not enough, of course, to tell people why they should change. To increase the chance of policy being correctly implemented, people need both an understanding of why as well as hands-on training in how to change. In computer security, this means letting each employee go through the keystrokes themselves (ideally in a safe, simulated environment) to best understand the importance, relevance, and logic of procedures.

In such simulated environments, we know that learners improve decision-making, make faster choices, apply learned behaviors, and move more easily from novice level to expert. The good news is that simulations can help people learn to avoid Internet credit scams or worms, and to make wise decisions using their own "talents" online. They can learn how to securely instant-message (IM), blog, and use their cell phone without revealing critical information. And throughout the simulation, they will learn the consequences of making wrong decisions.

The bad news is that providing such educational training takes a great deal more time than adding security software, but both strategies are essential to cyber-security.

NetEdGE Cyber-Education

Leaders in both the public and private sectors advocate direct instruction for employees and students in the proper use of cyber-technology. In the spirit of fulfilling this need, The Socrates Institute has been developing NetEdGE (Internet Educational Game of Ethics) with seed money from Symantec. Our purpose is to create a training program that guides young people through different scenarios of cyber-crimes from three perspectives: elite hacker, innocent cyber-victim, and undercover FBI agent. In each role, the individual learns how to interact in a simulated cyber-culture through decision-making, risk-taking, and especially by making mistakes inside the protected environment. We even give players the chance to hack into a fictitious organization, and then have to deal with the legal, economic, and social consequences.

Reaching the current workforce is undeniably important. But we must also reach young people at the start of their career. Nationwide, there are over18.8 million teens on the Internet for an average of ninety minutes a day. Over half (fifty-one percent) of their parents do not have or do not know of software on their computers to monitor where the teens go or with whom they interact online.

But we do know that organized crime has been recruiting teens in great numbers, turning their computer skills into big business. In fact, teens are even recruiting other teens in increasingly organized ways to commit DoS, fraud, and extortion.

We also know that only about five percent of all cyber-criminals are ever caught, and few are punished. In fact, ninety percent of computer intrusions are never even reported; companies prefer not drawing attention to themselves, less they risk losing consumer confidence. So our best chance, and one thing you can do as a leader, to reduce the numbers of cyber-criminals, is to educate the incoming workforce, giving them simulated opportunities to make both right and wrong choice in the cyber-world, and show the real-life consequences of both.

There doesn't need to be an army of computer hackers to cause damage to an agency infrastructure. All it takes is one young person in a single reckless cyber-crime, and no idea of the social, legal, economic, and emotional damage it can cause. All it takes is one teenager who figures that no one will ever find him. And at three o'clock in the morning, with the world at his fingertips, he's running password-guessing programs. And he's not even sleepy.

PostScript

We exist in an unpredictable era of technological evolution that seems to outpace our laws, cultural mores, and sense of personal safety. But we try and keep up with the new cyber-world. So we create new laws. We sit at the same table with security experts and hackers. We invent new strategies to observe it, new tools to probe it, new portals to access it, and new words to define it. Now it's time we developed new ways to teach others (and ourselves) how to successfully, honorably, and safely live in the cyber-world as we do in the real world. The purpose of this article has been neither to recommend nor criticize any particular brand or trademark of computer security; use the system best for your organization, depending on its size, security clearances, or budget. And educate your whole team in how and why to use it - all the time.


REFERENCES

Berg, A. January 4,.2006. THREAT MONITOR: "Seven trends to expect from virus and worm authors in 2006." SearchSecurity.com. Link

Computer Security Industry Alliance (CSIA). July 2005. Teaching Children Cyber Security and Ethics. White paper.

Department of Justice. 2006. Computer Crime & Intellectual Property Section. Link

Federal Bureau of Investigation, "2005 Computer Crime Survey Report," 18 January 2006
Link

Hacker Terminology:
- Webster's New World Hacker Dictionary (2006).
- The Jargon File. Glossary of Hacking Terms Link

IBM, January 2006 Global Business Security Index report Link

###

Mary L. Radnofsky, PhD is director, The NetEdGE Project and president and CEO of The Socrates Institute. This article has been adapted from a more thorough-going treatment of the topic, including citations for all quotes and references, a glossary of cyber-world terms and other details. For more on NetEdGE or to communicate directly with the author, go to www.socratesinstitute.org.

pdf version



CyberEthics Project

Home | About Us | Research | Curricula | Lessons | Sponsors |
Prof. Development | Press Room | Contribute | Contact Us

 

 
 
The Socrates Institute