A story on information security risks that appeared in National Defense Magazine.

Hackers Intensify Fears Of Industrial Espionage
by Michelle Drumheller
National Defense Magazine

Frequent intrusions by hackers into critical computer networks have industry looking at stronger security measures. Primary concerns cited by industry officials include the emergence of new vulnerabilities, lack of money for computer security, and fear of theft of corporate secrets.

Industry and government “can not afford not to do something about security,” said Maj. Gen. John P. Casciano, (Ret.), vice president for information operations/ infrastructure protection business for Litton TASC Inc., Reading, Massachusetts. “It goes to intellectual property; it goes to issues of privacy for customers; it goes to electronic commerce,” and it goes to providing security for information that is proprietary.

“Our whole economy is based on information and information technology,” he said in an interview. Computers are increasingly vulnerable to hackers attempting to infiltrate networks, experts said. The typical hacker used to be 14 to 16 years of age, white male, somewhat of an introvert, said Mark Gembicki, chairman and chief technology officer for WarRoom Research LLC, Baltimore. “In most cases coming from a divorced family, good in the sciences, in the computer side obviously, not so hot in the math and the social sciences.” However, this is no longer the case, based on information from Corporate America’s Competitive Edge, a searchable database. “Our hacker profile, based upon two years of data and talking with 320 companies-Fortune 500 companies [is that] the hackers are around 30-33, white male again, professional,” Gembicki said.

They have a $50,000 to $60,000 a year median income, and they can afford to buy expensive computer equipment, he said. “When you look at vulnerabilities, and national security and corporate security realize that the wiley 14-year-old kid is now 30 to 33 years old, with the gold American Express, driving a Beemer,” said Gembicki.

“The threat and the attacker have changed,” said Gembicki. “Now you have to worry about somebody getting in because he or she knows that that new formula you have to fight cancer-or everything from that to a new deodorant to a brake system from Chrysler-is worth a lot of money in the open market,” said Gembicki.

Preventive Measures

Matthew G. Devost, director of intelligence analysis, at iDefense, a computer security company in the Washington, D.C. area, said that most computer incidents can be prevented if the company has adequate knowledge that the vulnerability exists. Devost believes that companies put themselves at risk if they become aware that their systems are vulnerable but fail to take preventive action.

Patricia Irving, president of InnovaTek, Richland, Washington, a small business that creates chemical and biological defense technology, has seen indicators that hackers may be trying to access her firm’s computer network. “Our technologies are being used for national security type purposes, and the U.S. government has a concern about what might be happening” in countries that might not be friendly toward the United States or with terrorist groups inside and outside this country, said Irving.

“These incidents are related more to industrial espionage concerns,” she said. “We are in a very competitive arena right now in terms of intellectual property. We are creating new technologies and new products that are cutting edge, [and that] results in great competition in the early stages of product development.

“Any interest in chemical and biological weapons outside the legitimate business development areas is of concern for security recently,” said Irving. “The Central Intelligence Agency is tracking it, and they have talked to us about such concerns [but] we can’t really easily monitor what is going on on our website,” said Irving. “And it is clear that there are people interested in our site that would be of concern for U.S. security.”

An intern is working this summer at InnovaTek to train the staff on computer security, she said.

Security Tradeoffs

“There will be tradeoffs in terms of expense and the amount of security and the ease and access that we will want as a small company,” said Irving. The company’s desire to establish new business partnerships, she explained, also present new potential risks to computer security.

Lockheed Martin, Bethesda, Maryland, a major defense technology industrial conglomerate, has more complex security requirements. The company not only has many divisions that are linked by computer networks, but it also exchanges information with its government partners. “Now because of the Internet and intranet that companies have-and the extranets for electronic commerce and such-and the partnerships and agreements that you need to make on programs, you need to combine a lot of different people using the same resources to be cost effective and competitive,” said Lynda McGhie, director of corporate information protection at Lockheed Martin.

“We are investing a lot in the detection and the auditing and the automation of auditing and alarm systems, and just checking the network and just checking the systems,” said McGhie. Requiring single sign-ons and moving to integrated directories where [the user’s] identity is on a card, in a software algorithm or stored on a computer will be necessary for better computer protection, she added.

“I think we are going to be even more vulnerable, because literally the whole keys to the kingdom are going to be in that environment,” she said. “If somebody does break in and does compromise [the network], that person is going to have the potential to get into a lot more stuff, [such as] computing resources and information, and cause a lot more problems,” said McGhie. Security typically is looked at as a roadblock as opposed to an enabler, she added. Perpetrators of computer break-ins, meanwhile, pointed out that, in general, companies can create their own problems by taking shortcuts to achieve secure systems.

“Many businesses hire outside consultants to set up their technology and leave to avoid paying outside expenses. These [shortcuts] are a … hacker’s dream come true,” said The CatMan, a computer hacker with a website on the Internet, New York City. He requested that his real name not be used. “Most of the time, the passwords are set to default, and the security breach can be [completed in] a matter of moments.

“Additionally, since staff is unfamiliar with the system outside of data entry and report generation, the breach often goes unnoticed,” said the computer hacker. “You would not believe how many places have ‘123456’ or ‘qwerty’ as a password because they didn’t think of a password before setting up the account,” he said. “Passwords should have a unique spelling and be alphanumeric to prevent password cracking programs used by your neighborhood crackers. “I firmly believe that, if information is to remain secure, it should not be networked. If remote access is needed, then setup [should be] a secure model. Limit the amount of accounts, and be creative with the passwords.”

The CatMan also said that a majority of the problems with computers result from employee actions-the person installing the computer system focuses on accessibility rather than security. “Nine of 10 electronic security breeches are internal and are contrary to the Hollywood image [and are] not all that elaborate nor use holographic computer animations,” he added.

Another breech of security is the physical location of a password list, said The CatMan. “A password or password list should be treated like a credit card number and not left laying around for anyone to stumble across,” he said. It is also just recently that government has begun addressing issues related to industry and network security, according to Gembicki.

“U.S. corporations have almost no security [from the government] when it comes to really protecting themselves against a competitor trying to steal proprietary information, or a 14-year-old hacker,” said Gembicki. An ongoing problem for both industry and government, industry officials said, is both sides’ inability to share information about specific break-ins to their systems. Several years ago, the Clinton administration set up a special panel to address security risks to government computers. The President’s Commission [on Critical Infrastructure] considered that “telecommunications, and energy, health and human services, that they were critical infrastructures, but they failed to overlook the network and activity that really drives corporate America and our infrastructure,” said Gembicki.

“It wasn’t until a few months ago that there were statements made by the U.S. government, [saying] corporate America is global and corporate America is borderless on the Internet,” he said. Government Involvement

Gembicki said that one problem related to information sharing is the Intelligence Oversight Act. If the CIA or National Security Agency (NSA) has information that a cyber attack will occur or has occurred, they cannot share it with U.S. businesses. “That creates an unfair disadvantage to U.S. companies,” he added. “In a state of emergency, the government clamps down on information, and they mark it as classified and sensitive, and they use industry as a collection arm for the current state-of-the hack or the current state-of-affairs,” said Gembicki.

Then, when industry is clamoring for help to protect its networks, the government often will refuse to share information, citing national security secrecy, said Gembicki. “It is a one-way pipe in the government, and it doesn’t turn around,” he added.

Gembicki said that industry and government can work together, but tradeoffs need to occur. He advocates a security co-op program similar to those being used by national security agencies such as the CIA, NSA and State Department, which have created college internships that allow students to learn about their organizations. He suggested agencies also could allow similar exchanges with industry.

The government can develop a personal relationship at the executive-level with industry, said Gembicki. The industries participating in this program then can know that, if they have a problem, they can call that agency and have a direct contact for support. If there is an exchange at the executive level that it is blessed by both industry and government, it can prevent many of the information sharing problems that industry and government have today, said Gembicki.

Gembicki currently is developing a survey to assist companies assessing critical infrastructure threats, called Corporate America’s Competitive Edge. “The reason we focused on Fortune 500 companies is that critical infrastructure is our weakest link.” This database project uses both qualitative and quantitative information to answer questions that industry may have concerning threats to their critical infrastructure.

This project was based on responses from 320 companies. Each company was given a free information security assessment or a free business intelligence assessment in exchange for a two-year quarterly commitment to fill out forms that asked questions on 36 different topics, had 27 industry segments, and asked more than 180 questions. The response rate was 67 percent.

When asked who in government should run a program to teach businesses to be more secure, 90 percent of the companies said the preferred agency is the Department of Commerce, said Gembicki. The companies believed that corporate security is more important than national security.

“There is a polar difference between what government believes and what industry believes,” said Gembicki.