Cybersecurity options lag behind hackers’ abilities
By TIM MCGLONE | The Virginian-Pilot (MCT) | Published: May 13, 2014
A computer hacker once told a congressional committee that he could take out the entire Internet in a half-hour. That was back when the World Wide Web was in its infancy and Google didn't even exist yet.
No one has succeeded in that endeavor, but hackers have become so sophisticated that people like Edward Snowden and Chinese spies have been able to access some of the most secret files in U.S. government computer vaults.
Authorities say two people charged last week with hacking into numerous government, corporate and college computer systems made it seem almost elementary how easy it was to obtain what should have been protected personal information including phone numbers, email addresses, Social Security numbers and bank account information.
The men were allegedly part of a group that called itself Team Digi7al (pronounced "digital"). The man accused of leading the group is a former sailor who had been stationed on the Norfolk-based nuclear carrier Harry S. Truman. Three of the hackers were under 16 years old when they started working with the group.
The former sailor, Nicholas Paul Knight, and an alleged accomplice from Illinois are scheduled to plead guilty May 20 in federal court in Tulsa, Okla.
The damage done appears to have been limited, according to officials at the agencies, companies and universities attacked.
One of Team Digi7al's most sensitive cybersecurity attacks involved a breach of the Department of Homeland Security's Transportation Worker Identification Credential database. TWIC cards are used by transportation workers and merchant mariners to gain unescorted access to ports and Coast Guard and Navy bases.
Authorities say Knight and co-defendant Daniel Trenton Krueger hacked into the TWIC computer server in June 2012, downloaded the blueprint of the system, and publicly disclosed it.
Court records in the case say that made the TWIC website "vulnerable to future attacks."
The Transportation Security Administration, a Department of Homeland Security agency that oversees TWIC, said last week that the breach has been fixed. In an email statement, the TSA said:
"Upon discovery, TSA immediately notified the contractor who fixed the vulnerability and TSA personnel followed-up to ensure the vulnerability had been addressed. The TWIC information website contained only enrollment center addresses and points of contact, did not store any applicant enrollment data and no sensitive personally identifiable information was accessed or compromised at any point."
Other government agencies and companies that responded to inquiries said no sensitive information was obtained and released.
The Toronto Police Department said earlier reports that the hackers obtained more than 500 names, addresses and phone numbers of informants was erroneous. The hackers boasted of obtaining such a list but that is not what they actually got when they hacked into the department's website two years ago, a police spokesman said.
Instead, the hackers downloaded an outdated list of people who subscribed to a community bulletin about crime and community safety alerts, said department spokesman Kevin Masterman. It did contain email addresses and passwords. Masterman said the department contacted those affected and advised them to change their passwords.
"This was a breach of our website; it wasn't a breach of our computer systems," he said. "The information was being hosted by our website. It was unfortunate at the time."
Cybersecurity experts say Team Digi7al's attacks were not as sophisticated as what the Chinese military has done, or what hackers did to the Target department store chain, but it once again shows how vulnerable the entire country is to cyberattacks.
"We still face significant problems finding the funds to build a better cybersecurity system," said Stewart A. Baker, a Washington, D.C., attorney, cybersecurity expert and former DHS assistant secretary. "It remains very difficult for either the government or the private sector to really build privacy into the current network."
Baker said there isn't enough concern in Washington over the issue.
"DHS has hired a lot of people and they are much more sophisticated than in my era just four or six years ago," he said. "But you'd think they'd be more concerned. It's not the end of the world but it's not great."
Congress has failed to pass any substantial cybersecurity legislation since 2002, according to a recent report by the Congressional Research Service. Sequestration also pulled money and staff from anti-hacking programs.
A year ago, the president issued an executive order designed to strengthen cybersecurity programs, but critics said it did little more than existing programs already in place. It was also criticized for not being put into a bill for Congress to review.
The president's 2015 budget calls for more than a half-billion dollars to go to DHS to bolster its Einstein cybersecurity program. The president also pledged to build a $35 million campus to bring together key cybersecurity agencies in one place.
C. Matthew Curtin, who is often called on as an expert witness in court cases involving the cybertheft of trade secrets, said companies are now spending more money on cybersecurity.
"There is a heightened awareness," said Curtin, founder of the Columbus, Ohio-based company Interhack, which provides cybersecurity assessments for companies.
Many computer attacks occur because of carelessness, he said.
"In a lot of cases it has a lot to do with the mentality that people have about security," he said. "You have the very basic security precautions not being taken. They can't be bothered to have a pass code."
Teens are often the ones who get caught because they are not yet savvy enough not to, he said. And, like Knight and Krueger, they can't keep quiet about it.
"They are curious," he said. "They're explorers. Maybe they're just being teenagers."
Curtin remembers back to May 1998 when a young hacker who called himself "Mudge" told a Senate subcommittee that he could take down the Internet in half an hour (that was four months before Google was born.)
"The idea that you could take down the entire Internet is absurd," he said.
However, someone could attack an Internet provider and "seriously impact" a region of the country, he said.
Curtin said what's most frightening these days is countries hacking into other countries' computers. Government reports show that Russia, China, France and Israel have been caught hacking into U.S. computers and that terrorists groups, particularly al-Qaida, have begun engaging in cyber jihad.
"This is exactly the same as an arms race," Curtin said. "There is no difference between this and nukes."