Spy Vs. Spy

Making the virtual business world safe

Many who have done business in developing countries where wealth is disproportionate, hostage-taking is common and Americans are always a target, know the value of a couple of bodyguards and an armored escort when driving, no matter how much the service costs.

The main reason why companies budget for physical protection in some locales is a certainty on their part that if they dont defend themselves, the local law wont defend them either.

The same is true on the Internet, where business conditions are probably comparable to working conditions in Uzbekistan or North Korea — the 149th and 155th least-free economies on the planet, according to the 2000 Index of Economic Freedom. But in the last year, a handful of private companies have started to take enforcement into their own hands, quietly developing security units to protect their clients assets in cyberspace.

Web hosters such as Exodus Communications, Metromedia Fiber Network and ServerVault have been hiring retired agents from the Federal Bureau of Investigation, National Security Agency, Secret Service, Royal Canadian Mounted Police, Scotland Yard, U.S. Army and U.S. Navy, and whisking others away from their government salaries and security clearances to build private cybersecurity divisions.

What has emerged is a powerful, albeit clandestine, industry within an industry, with an unsurpassed access to otherwise classified security information that is now seeking to exercise its political clout to make the virtual business world safer for commerce.

In 1998, the Pentagon computer system — the holiest of the holy — was hacked by a ring of five Israeli and three American hackers, who picked their target because of a shared dislike of organizations. Their attack was so fierce that early reports of what was later dubbed "Solar Sunrise" caused Rep. Curt Weldon, R-Pa., to conclude that the U.S. had entered a cyberwar. The perpetrators, all under the drinking age, were caught by a phenomenal joint American-Israeli law enforcement effort. No trial date has been set yet.

Private companies sites — as evidenced by an avalanche of denial-of-service strikes in February 2000 against Amazon.com, CNN and ZDNet, the site of this magazines then-parent company — are just as attractive as targets.

But law enforcements track record in catching the bad guys and protecting business interests in cyberspace is spotty at best.

Last month, the General Accounting Office published an extensive report on the performance of the FBIs National Infrastructure Protection Center, which has been assigned a broad set of responsibilities aimed at both warning private and public organizations of the attacks, and catching the bad guys. The report concluded that the NIPC has fallen behind in its investigations, overpowered by both the volume of crimes and the lack of cooperation from the FBIs local offices.

What this means for private businesses is that unless the president is making a statement about your e-mail server being hacked into, the U.S. authorities are probably not going to do anything about your request to investigate the crime. And if the perpetrator has staged an attack from a far-off land, you might as well patch the security hole and forget about justice.

The FBI is legally barred from doing investigations overseas, which leaves businesses with a choice of the Central Intelligence Agency — which arguably has other issues on its plate than catching cybervandals — the Department of Justice or the Department of State, according to law enforcement community participants.

A case that piques the interest of the DOJ or the State Department would be forwarded from Washington, D.C., to a respective embassy. From there, the embassy would contact local law enforcement organizations and, "depending on the personalities involved," some people who have walked down that lane explain, a criminal case might be opened. This, of course, is not the same as bringing an identified criminal to justice, as is evidenced by the Solar Sunrise episode.

Lousy cyberpolicing is precisely the reason why most companies driving their business down the fast lane of the information superhighway want the equivalent of a bumper-squashing, siren-wailing, privately owned Mercedes-Benz Gelaendewagen protecting their Web site.

The burden of meeting this business request falls squarely on the shoulders of the companies that host the very sites that are used as either targets or as the means to break into corporate networks: Web hosters and Internet service providers.

Just as the Roman emperors developed the need for the Praetorian Guard, a special task force that acted as bodyguards and special army, modern-day Web rulers feel the need for private security when it comes to policing the Internet.

Its no longer enough to be just technically savvy. Managed firewalls, security patches and hardened operating systems on Web servers seem too basic to many customers.

Businesses that come to Web hoster ServerVault want to be sure their machines — and the information they contain — cant be fried with a ray gun from outside the data center. Users of MFNs colocation, managed and network services want to be assured their business partner knows how to handle information security forensics when investigating attacks internally, so the evidence is admissible in the court. Companies that work with Exodus want to be sure that if a strike breaks through their hosters defenses, Exodus would be able to coordinate the efforts of international security agencies to ensure attackers are caught.

Charles Neal is a 20-year veteran of the FBI who started his career in the bureaus cybercrime division with the investigation of hacker Kevin Mitnick, and ended his government work with the MafiaBoy case almost exactly a year ago. He left the FBI to head development of Exodus Cyber Attack Tiger Team (CATT) and, as such, is an apt spokesman for this new class of security powerbrokers.

"At the FBI, we recognized that there was a serious problem of underreporting, which continues to this day," says Neal, now vice president of cyberterrorism and incident response at Exodus.

The FBI, Neal says, has run an undercover project for a number of years, seeking to find out the exact number of compromised sites around the world. The results were anything but soothing. "We have identified thousands of compromised sites, and we identified so many so quickly we couldnt tell all the victims they were victims — otherwise, we would have no time to do anything else," he says.

Only 2 percent of the companies that discovered their sites had been compromised reported the incidents to investigators, Neal says. And the ones that did work with the FBI found themselves spending a lot of money with few results, he says.

Exodus CATT was built to compensate for the pitfalls of law enforcement that Neal learned about in the school of hard knocks, and to patch up the cracks through which cases affecting Exodus hosting customers would ordinarily fall. His personal goal is to use his agency background to improve the security of the Internet through Exodus, which he calls a "private platform."

"The trend I see is more teams like ours doing incident response, because companies dont want to go to law enforcement," Neal says.

The two biggest disappointments that Neal had at the FBI were juvenile cases, which the federal government doesnt prosecute unless the circumstances of the case are extraordinary, and dealing with international issues, since the agents are precluded from even calling their sources overseas to collect information on the case. With CATT, as a private citizen, he can both call on colleagues overseas and advise customers to go after juveniles in countries with the toughest laws on the books.

Four Divisions

CATT is broken into four divisions. Digital firemen is the physical incident response team, which consists of individuals that carry pagers and let customers know of an intrusion at all hours of the day. Infrastructure is the team that handles security nuts and bolts, such as firewalls and probe monitoring. Forensics consists of ex-security gurus that prepare evidence for prosecutors, making sure the evidence is admissible in court and is transparent enough for even the least savvy district attorney to make the case against an Exodus customers attacker. And then there is an intelligence division, modeled after an FBI infiltration unit that monitors the hacker community from the inside.

Most customers avoid going to the authorities, Neal says, aiming to just patch up the security hole and go on with their business. But there are situations when prosecution is very much desired.

Jill Knesek, Exodus West Coast team leader for the incident response team, recalls a recent episode when CATT traced a hack to a customers competitor, which was seeking to gain advanced intelligence to get an edge in a bidding war for a large contract. The Exodus customer was motivated to bring the case to authorities, which resulted in successful prosecution, Knesek says.

Exodus will strive to inspire other Web hosters to develop units similar to CATT, so that the private sector could become the missing link that would connect an international information security network, Neal says.

Information Sharing and Black Helicopter Tales

That missing link could appear sooner than anybody expects. In a recent study by Meta Group comparing the overall security of Web hosting organizations, ServerVault topped the list, followed by Telenisus, Genuity, Exodus, Electronic Data Systems and UUnet.

The exchange of information with federal officials is very much on the mind of Patrick Sweeney, ServerVaults president and CEO. The company has been designed with security as its main focus, and is one of the few hosters that builds its data centers with the Department of Defenses, the NSAs and the Pentagons specifications in mind. Sweeney expected to meet last week with folks from the NIPC "with a specific idea in mind of sharing information between public and private-sector companies."

ServerVault would know a thing or two about setting up a process like that. The company is working with the Secret Service on a pilot program in which ServerVault would help the agency with collecting hacker information.

Sweeney views his companys efforts as part of the conceptual change in how governments protect themselves in the information age. Warfare has historically been conducted with large armies, he reasons. But why make bombs if just as much damage could be inflicted electronically by taking out, say, a power grid or a stock exchange? A single person here could cause as much damage as a tank division, and its just a matter of time before agencies such as the CIA, the FBI and Interpol all work together against cybercrime, Sweeney says.

In the meantime, Exodus, ServerVault and others do what they can to fend off attacks themselves. Sweeney says that a lot of unfriendly traffic aimed at compromising ServerVault comes from China and former Eastern Bloc countries. But what can ServerVault do, even if it knows who the cracker is?

Sometimes the best thing to do is to do nothing but collect information on the criminal and ensure the customers data is safe against their exploits, Sweeney says.

Security industry experts say that while many companies avoid taking their cases to the authorities, the tales of black helicopters and midnight visits to the homes of suspected crackers by men in black leather jackets are greatly exaggerated. Some companies do, however, take matters into their own hands. "Some companies get fed up, find out who is attacking them and just lay it out for them, asking them to stop and telling them they know who they are and where they live," says Elias Levy, Internet defense firm SecurityFocus.coms co-founder and chief technology officer. "Or they simply contact their employers or parents."