Defenseless on the Net

With all the cyber spies and state-sponsored hackers on the Internet, is there any way to defend ourselves? Critics say not completely

by Keith Epstein

Editor's Note: This is the fourth and final article in a series on cyber espionage.

During the Middle Ages walls became less of a barrier. Soldiers would simply set up a catapult-like device known as a trebuchet. This enabled them to fling hundred-pound projectiles and disease-conveying corpses over supposedly impenetrable fortifications. Never mind how competently the 12th century's security professionals routinely patched and updated their fortress exteriors, invaders got in.

Today, rapidly evolving cyber espionage threats, state-sponsored hackers, and other Internet miscreants are bounding over the best modern protections consumers, corporations, and governments can set up. The situation is providing a steady source of revenue—in the many billions of dollars—for the essential products and services of computer and network security firms.

Yet as illustrated by the intrusions described by a BusinessWeek investigation (BusinessWeek.com, 4/10/08), all these defenses—firewalls and antivirus updates—devouring an organization's time, servers, and technology budget can be useless against even one moderately adept hacker engaging in open-source "net reconnaissance" such as simple Googling; crafty "social engineering" of fake e-mail attachments that trick recipients because they mimic messages from the boss or a client; and leveraging of cyber-break-in "toolkits" readily available online.

Disconnecting From the Internet

If the hacker hordes in China, Russia, or dozens of othercyberactive nations can catapult their Trojan programs and other malware over state-of-the-art safeguards—confounding some of the best cybersleuths that intelligence agencies and the private sector can muster—can any of us have confidence that our networks are secure?

Not the U.S. government. On classified orders from President Bush the government is, in part, now coping with the hacking onslaught by literally disconnecting from the Internet. The feds are closing as many Internet ports as they can, everywhere they can, possibly leaving open fewer than 100 of the current 4,000-plus conduits used by cyberspies and hackers. Imagine if the government took the same approach to securing U.S. ports, closing all but a few seaports to shipping vessels.

"We're well past the point where plugging holes is effective," says one of the nation's most senior military officials, who requested anonymity so he could speak about Pentagon anxieties over cyberattacks and defensive weaknesses. "This is persistent activity at the speed of light. If I'm the adversary and I get in, the guy at the other end can have all the McAfee (MFE) products (computer security software) in the world but I'm always there. I'm in."

Hoist With Our Own Petard

No wonder Microsoft (MSFT)—widely criticized in the past because its software has been riddled with so many vulnerabilities—is now proselytizing about rebuilding Internet trust through better security hardware. "Microsoft and the technology industry alone cannot create a trusted online experience," acknowledges Scott Charney, Microsoft's chief security strategist. "Time to change the game," he says.

Some say it's also time to publicly acknowledge the inescapable truth about a high-tech fighting force: By emphasizing technology meant to give us an edge over our enemies, we've given our potential enemies an edge. "We've shifted the field of military competition from nukes and ballistic missiles—hard to compete against—to networks and satellites where dozens of countries can compete. Our affinity for new technology has empowered all of our enemies," says Lexington Institute Chief Operating Officer Loren Thompson, a defense analyst and consultant with close ties to the Pentagon.

The trouble is, nobody wants to put the technology away—not the government, the military, corporations, or the average user. The benefits are too many. Internet-dependent warfare, like Internet-dependent commerce and communications, will only grow in the years ahead, along with ever more challenging hazards. "Risk mitigation" is the strategy at the Pentagon's Joint Task Force for Global Network Operations, which oversees security of the military's seven million computers around the world—so many it requires 14,000 networks and 120,000 leased commercial circuits to tie them together. Break-ins soared 55% last year.