Electronic Pearl Harbor
the havoc that can be wreaked online has become almost limitless. Unless you’re living deep in the woods on fish you catch, chances are almost every aspect of your life is mediated through computers, from your train ride into work (thanks to computer-controlled track switches) to paying bills to relaxing in front of the television (which gets its juice from a computerized electric power grid). A terrorist organization or hostile nation that wanted to disrupt life in the United States, or a thief who wanted to plunder a company, has an embarrassment of riches to choose from, notes Pat Lincoln, director of the Computer Science Laboratory at nonprofit research institute SRI International. Lincoln, whom U.S. officials have briefed on these concerns, notes that though the details are classified, the government is carefully watching several groups and nations for warnings of computer attacks. “If you’re recruiting people to drive trucks that blow up, maybe next year you’ll get someone to plant an Internet worm,’” says Lincoln.
Possible targets of terrorist or state-sponsored attacks include electric power grids, natural-gas pipelines, water supplies, dams, hospitals and a variety of other critical facilities that could be paralyzed by assaults on the right computers, possibly resulting in widespread suffering and even death. Holleran notes that 80 percent of the food transported by rail in the United States crosses either of two bridges over the Mississippi River; even a moderate computer-driven mishap near one of them could potentially cause shortages and skyrocketing food prices. Phone service could increasingly be at risk, too, thanks to plans to move most voice traffic onto the Internet, which is far less secure than conventional phone networks. Banks, stock exchanges, the U.S. Social Security Administration and the U.S. Postal Service are also vulnerable. An attack on any such crucial network would serve as what security experts call an “electronic Pearl Harbor.”
Access to, or a means to disrupt, military networks would be a special prize in this computer cold war. “A commercial site might be willing to put up with a certain amount of fraudulent traffic” that slows or temporarily halts service, says Robert Anderson, head of the information sciences group at nonprofit think tank the Rand Corporation. “But in a military system you’d be talking about lives being lost.” Imagine, for example, the computer-driven targeting displays in tanks and bombers misidentifying friendly installations as enemy positions, or radio command networks being disrupted, or even inundated with fake commands. Such infiltrations could conceivably influence the outcome of a war. Uncle Sam is widely believed to have developed its own capabilities for attacking enemy computer systems, but because the United States tends to be far more computer dependent than its overseas counterparts, we have more to lose via information warfare, Anderson says.
Computer attacks could even become a force to reckon with in politics, notes AT&T Labs security expert Avi Rubin-at least if some communities follow through on plans to allow voting over the Internet. All a malicious agent would have to do is launch a mild attack that slowed down a vote-processing server enough to prevent a few percent of the ballots from getting through in a couple of districts. “It’s the easiest type of attack one could possibly launch, and it could be enough to disrupt an election,” says Rubin.
On the business side, the attacks are less theoretical. Citibank was ripped off in 1994 to the tune of $10 million by a Russian computer whiz, who transferred the funds to his and his accomplices’ accounts. Most of the money was eventually recovered, but experts say there have probably been larger, more successful computer heists at other financial-services companies. Why haven’t we heard about them? Because the companies quietly bury the loss in the books as some other type of expense. “If someone breaks into a company’s computers and gets $50 million, the company will feel there’s nothing to gain by reporting it,” says Jon David, a senior editor of the journal Computers and Security and a security manager at a large financial-services firm. “It just makes customers and stockholders nervous.”
For a growing number of thieves, though, purloined corporate information-not money-is likely to become the currency of choice. R&D data, financial records, personnel files, details of upcoming deals-corporate servers are treasure troves of data that can be sold to competitors, speculators or anyone with a grudge. And of course, a few firms or their employees may stoop to direct computer-based espionage against competitors. Since hijacked information would typically be copied and not altered, companies might never know they’ve been hit. In a so-far-unique public case of industrial espionage allegedly carried out by computer, Moore Publishing, a Wilmington, DE, investigative firm, filed a $10 million lawsuit against Steptoe and Johnson, a well known Washington, DC, law firm. Settled in July 2000 for an undisclosed sum, the suit claimed that Steptoe and Johnson repeatedly broke into Moore computers, allegedly in revenge for Moore’s having bought the rights to the “steptoejohnson.com” domain name (which it subsequently gave up).