In February of 2000 I was interviewed for Future Presence, which is a publication of the Arlington Institute. Given the length of the interview and the breadth of material covered, I think it makes for a very interesting read.
February 14, 2000
Volume 1, Number 4
Produced and Edited by Scott Johnson (firstname.lastname@example.org)
MATT DEVOST — GUARDING THE GATES OF CYBERSPACE
"What you have out there now is the demonstration that there are malicious actors that do not have the best interests of the Internet or the electronic society in mind."
When you enter the office of Matthew Devost, one of the most visible monuments to his life’s work is — a poster. More specifically, it’s a poster advertising the 1980s movie War Games, a hacker classic in which a high school kid almost starts World War Three. Devost would admit to the hyperbole of that Cold War film, yet he has become one of the most articulate advocates for educating leaders and the public by the growing threats from cybercrime and information warfare.
This interview, which had been scheduled for over a week, was made all the more timely by the massive and apparently coordinated attacks on a group of high-profile web sites over the past few days. [see related links at the bottom of this newsletter] These intrusions into the operations of some of the poster children of the new "e"-conomy are, says Devost, the merest glimmer of what lies ahead. Devost has discussed these issues on CNN, MSNBC, National Public Radio, and Australian television, and he currently serves as a senior information security analyst for Security Design International Incorporated (http://www.sdii.com/), a firm in Annandale, Virginia that specializes in dealing with digital threats to the critical infrastructure and e-commerce. He has also served as a senior INFOSEC engineer at SAIC and as Director of Intelligence Analysis at Infrastructure Defense, Inc., and he is the founding director of the Terrorism Research Center (http://www.terrorism.com/).
TAI’s Scott Johnson:
Tell me a little about your own involvement in this field. What interested you so much about cyberterrorism and information assurance that you decided to make a career out of it?
It was the culmination of the fact that I was a graduate student who was studying both national security issues and computer science. And I just kind of naturally saw, back in 1993, the convergence of these two fields. There was a national security threat that I saw, with our increasing reliance on computer technology, that hadn’t been written about or studied. So I started writing about it and sort of caught the front end of the wave that became the information warfare career path for me.
We scheduled this interview last week, and it has turned out to be a pretty timely one. In the last few days, hackers have disrupted servers on some of the most high-profile web sites in the world, including Amazon.com, CNN, E*Trade, eBay, and ZDNet. What in blazes is going on?
What we’re seeing is one of the fundamental vulnerabilities of the Internet. We’ve had these issues with regards to being able to do "denial of service" attacks for the past five years. Nobody’s really fully exploited them. We saw several years ago some isolated DOS attacks that took some major e-commerce sites offline. Of course, back then e-commerce wasn’t as big a deal as it is today. There weren’t the billions of dollars that are now flowing into these sites.
Also, back then, the tools that were being used were kind of equivalent to the neighborhood boy turning on somebody’s faucet. And in order to find out what the problem was, you just followed the stream of water, and there you had it. The tools we’re seeing today are very sophisticated, in that they are distributed. You have fifty to a hundred to two hundred sites that you compromise and install these clients on; you give them the go code with what the target is; and they launch this distributed DOS attack. It becomes incredibly difficult to track it down and figure out what each of the sources is, and even if you identify one source, you’ve still got 49 or 199 out there [that are] waging the attack.
We are also seeing what appear to be some diverse motivations, what with the fact that attacks are "turning on" and "turning off." In the past, they would "turn on" and wouldn’t turn off until somebody caught them. But this person or this entity that’s launching the attacks, they seem to be really interested in testing the capability of the tools. They’re going after the sites that have the most bandwidth in the Internet society; the sites like Yahoo!, eBay, E*Trade, sites like those that are accessed by millions of people each day. They’re turning on the attack just long enough to see that the tool is successful, and then turning it off. It makes it incredibly difficult to do any sort of forensic analysis, trace back to the source…
Like they’re wiping their fingerprints clean.
Yeah. There are still some sort of fingerprints that are there, but it’s really tough to trace it back to the source if you don’t have a constant stream flowing. So that’s what we’re seeing, and what their motivations are and who it is, that remains to be seen. I know that it’s frustrated a lot of my friends in the security field over these last three days.
It seems like there’s been, like you said, a sort of ratcheting-up of the ante. A few years ago, these were mostly isolated. We’ve seen a lot more and bigger attacks over the last few days, in a more concentrated fashion, but they are still isolated to specific companies. Is this the tip of the iceberg? Are we looking down the road to things that could affect entire portions of the infrastructure, or is that overstating it?
It could be. Like I said, these vulnerabilities have existed for years. But what we had on the Internet–it operated on trust. No one exploited these vulnerabilities because we all had a vested interest in the success of this wonderful new entity we’d created for communicating and conducting business. What you have out there now is the demonstration that there are malicious actors that do not have the best interests of the Internet or the electronic society in mind. And they’re willing to exploit these vulnerabilities that exist in the protocols [and] that have been there for years, on a wide scale against major sites.
And it could be that this is just the tip of the iceberg, that we’re going to see more substantial attacks against other sites… attacks that are sustained for longer periods of time. It’s hard to determine what the motivation is. The cat’s definitely out of the bag with regards to launching these types of attacks against large sites.
In an FBI press conference [see related link below], Janet Reno said that the Department of Justice was going to spend money and implement procedures to defend against these kind of attacks. Is that just blowing smoke? It seems like the very distributed nature of the Internet that you discussed makes it inherently vulnerable to this kind of thing.
Devost: There are lots of things [they can do]. They’re trying to beef up their forensics capability, their ability to liaison with internet service providers, communications companies, that they would need to track back the source of the attacks. But really, what you have is an engineering problem. There are new protocols out there for Internet connectivity like IP Version Six that are starting to build in security aspects that would make attacks like these harder to launch. Until we see a migration to new network protocols, to new mechanisms for conducting business– and that won’t be easy.
It’s been so appealing with regards to electronic commerce that we’ve just sort of grown without considering the long-term implications of having this "untrusted" backbone beneath our feet. And until we’re willing to say, "Whoa, let’s move towards secure implementations or new protocols," the attacks are going to continue. I don’t see what the Department of Justice can do with regards to that, except just the traditional kind of law enforcement activities.
Regarding e-commerce… as things become more interconnected, and as it becomes a bigger part of the economy, are these attacks a threat to the public’s trust in using e-commerce sites, whether it’s psychological or an actual effect on the physical infrastructure of doing e-commerce?
It will have an effect on the physical infrastructure. Obviously it didn’t deteriorate people’s trust too badly because all of those stocks are going up in light of these attacks. I think other security incidents like we’ve seen in the last few weeks, with credit cards being violated, that are much more personal… [these] are going to have a greater impact on the individual’s trust of e-commerce and the moving forward and being willing to buy more things, move more of their life online… than these sort of infrastructure attacks that just prevent them from accessing a site. It means much more to Joe Smith if his credit card was revealed online and someone could steal his identity–that is a much bigger threat to him individually than not being to connect to eBay for the day.
We saw that with the Northwest Airlines web site recently, where users of the web site had their credit card numbers exposed on the site [see related link below]. Do you think we’re going to see more of that?
Oh, absolutely. There’s been a huge trend in the past month towards revealing some of these credit card numbers online. CD Universe is a prime example. 300,000 credit card numbers. Visa and American Express have both issued new cards to a lot of their members that had shopped on very specific sites that had been compromised. So I think we will see a lot more of that.
Moving over to some of the more military aspects of cyberthreats… A few years ago, the U.S. military conducted an exercise called Eligible Receiver, in which simulated hacker attacks caused serious degradation to our ability to wage war. [see related link below] Can you tell us a little more about that exercise, and whether it was an accurate simulation of the realities of cyberwarfare?
I don’t know that it was an accurate view of the threat at the time that it occurred. They basically took some of the best and brightest that we had, and gave them the role as the bad guys. At that time, I’m really not convinced that those capabilities existed within entities that would be willing to do harm to the U.S.
What it did, which was even more significant, was raise awareness with regards to our vulnerabilities on these infrastructures and the interdependence of infrastructures. It demonstrated their interconnectivity. It was something that a lot of us had been speaking about, but it really hadn’t been demonstrated yet, where you could use a computer system to attack power grids; you could use a computer system to attack gas and oil and transportation. It was those links that demonstrated, hey, you could really impact the U.S. military’s ability to deploy by using a "soft kill" type of attack.
So in that sense it was very viable. It attracted a tremendous amount of attention, first within the DOD and then later with the public. It’s often cited as one of the major reasons why we’ve moved forward with a lot of these initiatives, like the President’s Commission on Critical Infrastructure Protection, why we have a Critical Information Assurance Office [see related links below]. It spawned numerous DOD initiatives. So it really was, at the time, a very good action to occur, a very good thing to happen.
Are the U.S. and other countries now developing wings within their military that are specifically geared towards aggressive information warfare tactics?
Absolutely. If you look at some of the recent statements by some of the heads of the CIA… I’ve seen numbers as high as one hundred entities, countries or rogue entities, that are developing these IW capabilities. That’s what they determine is the threat. Now, the problem is that it’s hard to take someone’s word at that. If you’re talking about critical infrastructures such as power, telecommunications, those rest with industry, not with government. It’s very difficult to just take at face value, when someone says there are one hundred nations out there developing these capabilities.
There’s been really no threat estimate above and beyond that, that’s been shared with the corporations that would motivate them to move forward or generate additional dollars towards security, towards securing these infrastructures. So that’s one piece of this that’s been a little disheartening. It’s the fact that there’s no real accurate data–or there may be accurate data, but there’s no unclassified information with regards to what the current threat is out there to sufficiently motivate industry.
Would you call this the cusp of a full-scale paradigm shift in the future of warfare, or is it really just an added element? Are we looking at a future where there’s primarily bloodless wars that are fought with technology?
I don’t think there will ever be bloodless wars, because ultimately we will always face adversaries that are going to resort to physical violence, and only physical violence will be used as a means to expel them. The way to inflict damage is becoming more bloodless; the warrior is being removed from the warfighting process. What used to require hand-to-hand combat moved back to gun-to-gun, to tank-to-tank, to bomb-to-bomb… to now someone sitting in a ship, watching a Tomahawk missile go in. So what we’ve done is kind of remove the personal elements; there’s been a paradigm shift there.
There’s also been a paradigm shift in that, if you want to have an impact on nation-states, especially modern ones, a good way to have a national security impact is by attacking these critical infrastructures. So I think we’re seeing, if it hasn’t already occurred, a paradigm shift there as well. And other governments recognize that.
I would implore people to go out and read this document by two Chinese colonels called Unrestricted Warfare [see related link below]. It talks about the migration of nation-states to tactics such as information warfare, or financial sector attacks, or conventional terrorism attacks using asymmetrical cells a la Osama bin Laden. So there’s definitely this fundamental thinking– a lot of people have referred to it as a revolution in military affairs, the Gulf War being the first information war. I think it goes above and beyond that, in that the nation-states are now having to resort to these sort of unrestricted methods in order to achieve their objectives.
It seems that, just as the Internet has reduced some of the barriers to entry in regular business, it has also had some of the same effect on the terrorism business. Individual actors can inflict a lot more damage to a government or region than ever before. Is that accurate?
I think that’s accurate. We’ve seen some interest from terrorist organizations in conducting these types of activity. It still hasn’t generated the level of response that’s significant for them as it would to actually have a "blood bomb." We refer to it as a "bomb of bits" versus a bomb of blood, and the bomb of blood is much more effective for them at this point. Now, as they see the complete national attention — the attorney general of the United States, the President of the United States speaking on issues of e-commerce sites being attacked and how significant that is — well, that’s a natural motivation for them to migrate towards those sort of attacks.
And yes, they are just as capable, if you invest the resources in educating yourself, if you can download these tools and determine which web sites you’re going to attack, they are just as capable with three people as they would be with ten people. So it has kind of decreased that barrier. Bruce Sterling used to always refer to the Internet– there were no malicious actors yet because we had this "protective membrane," he called it, of computer literacy.
Well, I think that protective membrane has now finally [been] broken through. You have tools out there that are GUI [graphical user interface]-based. It’s like using Microsoft Windows, allowing you to launch attacks. There’s no fundamental knowledge required to go out and code, to understand the vulnerabilities. It’s automated for you; you just need to pick your targets and have the motivation to go out and launch this sort of wide-scale attack.
Last week the Clinton Administration eased restrictions on computer exports, and they have recently taken similar steps to cut barriers on encryption software, a stark reversal of previous policy (and one for which Silicon Valley had been lobbying). Do you think these were good policy decisions and, more broadly, do you think the current Administration and Congress “get it” when it comes to these issues?
I think absolutely that those are good policies, and that they are finally starting to "get it." It’s been a long, hard-fought battle. [laughs] If you talk to any of the advocates of strong cryptography that exist out there, this is a battle they’ve been fighting for years. The government is only now realizing that, in order to ensure competitive advantage, we need to remove some of these restrictions on exporting encryption technology. What happens is, we have companies that are perfectly capable of producing secure products, [but they] can’t distribute them outside the United States. So they have a competitor that ends up setting up shop [abroad] and allows these products to be exported, and they distribute from there and have an impact on us. Or, jobs that would have resided with a company in the United States are now within that company, because they have set up a European branch or a foreign branch.
So I think that’s a fundamental move forward in obtaining a greater level of security, but it’s disheartening that it was such a long, hard-fought battle to get there.
We seem to have weathered the Y2K crisis with little or no serious damage to infrastructures and vital services. Do you think there are any valuable lessons to be drawn from the way we addressed that problem, that can be applied to this threat?
Well, I think there were lessons that could have been drawn if we had suffered more failures. We definitely learned lessons about how to set up coordinations and communications, and preparation for infrastructure failures. I think we’ll carry those lessons forward. I’m not saying it would have been nice, but there would have been additional lessons that could have been learned, had we actually suffered some random infrastructure failures here and there. Determining who’s responsible for responding to that, how their coordination of that takes place, what sort of mitigation techniques were used… there were a lot of lessons there that I think, from a critical infrastructure protection standpoint, we were looking to learn but we never got to learn. So those will be down the road.
I’m still not convinced that, within the U.S. government, that we even know how to organize for a response to a critical infrastructure attack. Is it FEMA that responds? Is it the FBI? Who is involved when it comes to responding to a critical infrastructure failure?
I think they drew up some of those contingency plans, but they didn’t really get to test them to see if they would work.
They drew up some of them with regards to Y2K. When you start talking about infrastructure failures as a result of a malicious act, it’s an entirely new entity now, because you have that threat agent or external actor in there. I’m still not convinced that we understand exactly how we’re going to handle those types of failures. I know that there’s been a lot of activity. There’s some papers that two colleagues and I wrote about organizing for IW, that I know were distributed. And people were reading those and brainstorming on how to handle this. I just don’t think that we’ve gotten there. There were lessons that could have been learned from Y2K failures that would have advanced our efforts in regards to that.
It seems that the evolution of this information technology, and especially the role that it plays in our lives, has increased exponentially in the last few years and will continue to do so. Is there a danger, in your view, of it getting out of hand, in the sense that we can’t handle the way it’s progressing?
I don’t know… it’s going to be interesting to see how individuals respond to the advances of technology and how we’ve become more dependent on it. If I think to my own personal life, if you took down my connectivity and my systems at home, there would be a great deal of chaos. [laughs] With regards to finances, I don’t keep hard copies of much of anything anymore. I do keep backup copies, but if that was removed, there would be a certain amount of chaos.
As we move forward and become increasingly reliant, I think we have to be prepared for these sort of "influx of chaos" that are going to occur. And that may be difficult. Ultimately, I think it’s a good thing. Of course, there are moral perspectives to that. As technology advances to the point where you have systems that have the equivalent power and functionality of a human brain, and we start really advancing in artificial intelligence or achieve ways of modeling or cloning our neural processes into some computer… there’s going to be huge ethical, religious, and moral debates that take place that will probably cause a great deal of strife within society.
But over the next few years, I only see it as a complement to where we’re going. I think it will allow businesses to become much more global. I think it will give the individual much more power to be innovative again. That’s one of the greatest things that I like about technology, that the power is now back to individuals to be innovative again. I think that, for a period of about twenty years, we lost that. So that’s one of the unique aspects that I’m really looking forward to watching in the next five to ten years.
Matt, I’m now going to ask you some more general questions that we ask to all of our interviewees. We’re trying to get a picture of where we are now and where we are going. As we enter the new millennium, during the next century: What is the biggest challenge facing humanity?
I’ve been very intrigued by one the subjects we just mentioned, which is what happens when the technology finally starts merging with the man, and the ethical dilemmas that will be there. I think that’s probably going to be one of the greatest challenges that we’ll meet. I’ve read most of the current books on that, which kind of hypothesize that in thirty years we’re going be there, and what are we going to do? What if people start making conscious decisions to live solely within machines? I think that’s going to be one of the greatest challenges: overcoming that, and figuring out how we’re going to deal with those subjects.
We’ve seen a tremendous amount of debate with regards to cloning, and I think that’s just the tip of the iceberg of what our capabilities will be, within even just the next twenty to thirty years, let alone the next hundred years. Not having another religious war of man versus technology, or those who want to live completely embedded with technology versus those who want to sort of maintain our "humanity"… that will probably be one of the greater challenges that we face.
What is humanity’s greatest strength?
We’ve proven to be very adaptable and innovative. We seem to have tremendous capability to overcome things. Overcome differences amongst ourselves. Overcome technological problems. Overcome battles against diseases. We dedicate an incredible amount of manpower, and there are an incredible number of people that are passionate about these issues. Just as with critical infrastructure protection… there are an enormous amount of people out there now that are passionate about this issue, [so] that we can probably overcome any threat that exists out there.
So that’s probably our greatest strength, is the fact that there are people out there that are passionate and innovative, and we have a demonstrated history of being able to adapt and survive and face up to these challenges. It’s not always easy, but it’s always done.
What do you believe is likely to be humanity’s greatest accomplishment?
[long pause] Of course, I’m only thinking only in perspective of initiatives I know of now! [laughs] It’s kind of difficult to think ahead fifty years, when the playing field has completely changed. But I always think of the human genome projects– being able to map out the things that make up what we are, and being able to eliminate the diseases that have plagued us, will probably be, from my near-term perspective, one of the greatest achievements that we’ll have.
Now, there could be something that occurs in fifty years that completely dwarfs that. But from my perspective, that will probably be one of our most significant advances.
Where do ideas come from?
That’s difficult to answer. It obviously seems apparent to me that some people are more creative than others. But that may not be an accurate assessment. My judgment of what is creative might not have any relevance to somebody else’s judgment of what is creative. So it almost seems like it’s a spiritual process to some extent, that each of us has this ability to be creative in our own unique way. So if I had to target it to anything, I wouldn’t target it to science or to a specific personality trait. I think I would target it to something that we don’t understand, that is unknown to us and walks more on the spiritual side than on the technological or human side.
Last one: if you had an audience of a billion people, and only a few minutes to address them, what would you say?
[laughs] That’s a difficult question. The obviously appealing answers are, you know, the "can’t we all just get along" or "let’s move towards global peace." But I figure that if I’m in front of an audience of a billion people, then there’s probably a reason why I’m there and not someone else. So I’d probably try to base my discussion on those things that I know. I might try to discuss some of these technological issues and challenges, some of the issues of our reliance on computers and balancing that with our civil liberties and moving forward.
So I’d probably speak to that which I know best, to that which probably would have put me in front of that audience to begin with.
Matt Devost bio and papers:
Security Design International:
Pentagon’s Computers Fail Hired Hackers’ Test (about the Eligible Receiver exercise, from the Associated Press/Seattle Times):
Critical Information Assurance Office (U.S. government):
President’s Commission on Critical Infrastructure Protection (U.S. government):
Unrestricted Warfare (report by senior colonels of People’s Liberation Army, China):
Part I: http://sun00781.dn.net/nuke/guide/china/doctrine/unresw1.htm
Part II: http://sun00781.dn.net/nuke/guide/china/doctrine/unresw2.htm
Full document in .PDF format: http://www.terrorism.com/documents/unrestricted.pdf
Yahoo! Special Report: Hacker Blitz (with media stories from AP, Reuters, and major newspaper and TV/web resources):
Clinton, Computer Security Experts to Meet (Associated Press):
More Web Sites Hit, Authorities Step Up Response (Reuters):
Clinton Eases Computer Export Controls (Reuters):
Matt Devost e-mail: email@example.com