"I Love You" and the Problem of
Cyberwarfare
Source: Stratfors Global Intelligence Update
May 15, 2000
Summary
Last week, officials from the government and the
computer industry gathered in the wake of the massive denial of
service attacks against commercial web sites and the outbreak of the
"I Love You" virus. The real problem the United States and much of the
world faces is that people are overwhelmingly dependent upon a single
computer operating system that is exceedingly vulnerable to even
simple attacks. The PC and the Internet have become indispensable -
while remaining indefensible.
Analysis
Last week, U.S. government and computer industry
officials gathered in California for a summit on computer security.
The meeting took place in the wake of a recent spate of computer
viruses and attacks, including the massive denial of a service attack,
apparently launched by a Canadian teenager, and the "I Love You"
virus, seemingly launched by someone in the Philippines.
It is important to realize that neither of these attacks
were developed by computer geniuses. The Canadian teenager’s ability
to shut down Amazon.com was perhaps one notch more sophisticated than
setting an autodialier on a telephone to repeatedly call someone’s
phone, making it impossible for real callers to get through. The "I
Love You" virus was a simple macro written in a fairly simple
language, Visual Basic, that took advantage of the lack of security on
Microsoft’s e-mail package. No one is going to be offering either of
these software creators jobs at the National Security Agency.
Some people are taking comfort in this. John Dvorak, a
usually astute observer of the computing world, wrote in PC Week, "The
Love Bug Virus is the type of thing that’s great for keeping
journalists busy on a slow news day. I’ve never seen anything get so
much ink. The question of the day: Will writing two-bit destructive
viruses become the way that loners and goofballs get their 15 minutes
of fame? I suspect this is the case. It certainly beats setting
oneself up on the school clock tower and picking off fellow classmates
with a rifle."
Dvorak is of course right - but he’s missing his own
point. Vitally important news is being made. The news is this: It is
now possible for a comparatively unsophisticated computer programmer
to create absolute havoc. It is not the hacker’s psychological profile
that is interesting; it is the intellectual profile that is stunning.
It used to be possible for a brilliant but unstable person to wreak
havoc. Today, a not particularly bright crackpot can achieve the same
outcome. And that is the point. There are few brilliant people in the
world. There are lots of dullards. Based on the ratio of fools to
geniuses, the likelihood of future attacks increases.
The problem is this: the personal computer and the
Internet are both revolutionary - and yet, terrifically vulnerable.
Both are less than a generation old and comparatively primitive, like
the telephone or automobile early on in their evolution. Yet the
revolutionary nature of computing today allows all kinds of people to
do important things in ways once impossible. Everyday people in all
walks of life and work have become dependent on these systems.
The vulnerability of these systems stems from the simple
fact that they were never intended to be the center of such
dependency. The personal computer was developed as a stand-alone
system. Unlike mainframes with multiple users using multiple accounts,
the PC was deliberately designed to serve the needs of an individual.
The entire purpose of the PC was to be a functioning system that
provided the user unfettered access to his data, programs and even
operating system. Hence its name. It followed from this that the
individual was unlikely to seek to harm his own computer or the data
on it. Security was hardly a priority.
Connectivity between PCs has crept in slowly. Not so
long ago, people couldn’t conceive of a mass market for PCs. As word
processors and spreadsheets emerged, the usefulness of the PC became
more apparent. Still, few people in the 1980s imagined that one of the
PC’s primary roles would be that of a communications device. At first
limited to a handful of military and academic users, e-mail usage
began to explode in the late 1980s.
Early e-mail had been built around a few academic
mainframes. A PC user would get a campus account - either on a
mainframe or minicomputer - in terminal mode, not as a true computer.
He would dial up to that account via a modem, at 300 or 1200 baud.
That computer would link to other computers in a crazy quilt pattern
called Bitnet, which had spun off from ARPAnet (a Defense Department
initiative). Over time, data files were stored on various university
mainframes. One of the biggest was at the University of Minnesota,
with tons of non-graphical information. Using this network of
computers, the user could hop around the world. Out of this primitive
connectivity, came the explosion of the World Wide Web.
But the PC was never intended for this purpose - it was
created for a single user. Efficient usage meant that much of the
function of the operating system was hidden from the user, who really
didn’t need to know what was going on within the system. Also, in the
interest of ease of use, the different applications became more
tightly integrated with each other and within the file system. The
outcome, of course, was the Microsoft-driven computer of today where
the word processor, spread sheet, e-mail package, web browser and file
system are intimately connected.
As a result, it is difficult today to figure out exactly
what is going on inside your own computer. The integration of
processes obfuscates the operating system. A good example can be found
in the famous "blue screen of death" that functions like a "service
engine" light. It tells you that you are in trouble, but doesn’t tell
you why. The inability of the Microsoft Operating System (OS) to tell
the user what is wrong is a feature, not a bug, as they say. The OS
frequently doesn’t have any idea what has failed. The complexity of
the system itself makes transparency impossible.
Microsoft triumphed because it provided for the easy
exchange of files within the PC and between PCs. But that very ease of
exchange created the current potential crisis. The Microsoft operating
system took advantage of connectivity opportunities. Once the computer
became connected, it was no longer under the sole control of the
owner, whose interest was in protecting his computer and his data;
instead the owner is now exchanging information with others who might
have more malicious interests. The structure of the Microsoft OS made
it extremely difficult to deal with maliciousness for two reasons:
1. The increasingly tight integration of the OS with
applications and links between applications means that malicious
imported code can migrate rapidly from one part of the system to
another. The "I Love You" virus, for example, attacked the address
book of the email system, as well as attacking music and graphics
files.
2. The lack of transparency of the operating system
makes it extremely difficult to create programs that can see what is
happening inside of the computer in real time, creating shut-offs or
fail-safes. Current anti-virus software is forced to identify known
viruses by scanning incoming files. This means that new, unknown
viruses can’t be stopped.
During the denial of service attacks on web sites, no
one could figure out where attacks came from because a single attacker
can route attacks through thousands of computers. It is possible to
plant malicious code on a computer whose mission is not to attack the
host computer - but to propagate itself to other computers and then to
begin simply linking to Internet sites, shutting them down by sheer
overload. Finding these tiny bits of malicious code on a server is
mind-numbingly difficult. It can be anywhere in the file system and
called virtually anything. There is some software designed to detect
this code. But it needs to be installed by people who are concerned
with damage to other servers - altruism that is fairly rare.
A teenage kid can knock out hundreds of corporate
systems because the foundation of modern computing, the operating
system, has been in rapid, forced development since the success of
MS-DOS. It was designed for one user who would treat it right. The
hyper-connectivity of the Internet exposes it to code delivered by
others. The Windows operating system was simply not built with this in
mind. It has served brilliantly as a tool for exchanging information.
But its very success has created the menace. The neat
macros created in a spreadsheet can be made malicious by a teenage
kid. Interoperability and interconnectivity were created without
regard to security. And there can be none without transparency. You
can’t be secure if there is no method for knowing what is happening in
your operating system. It is the perfect environment in which viruses
can flourish. That is true on the client and the server.
The problem is that we are dependent on these systems
for our daily work and our daily work can be used to spread harmful
programs. If a teenager can wreak this havoc, imagine what a concerted
effort by a well-funded government intelligence agency can do. That,
of course, is the point. Dependency on the computer and the Internet
at this primitive stage of development opens us to attack,
particularly from societies that are not dependent on PCs and the
internet, but that do possess the intellectual skills needed to mount
the attack.
One executive of an anti-virus company has suggested
that you should never open a file from someone you don’t know. That is
a measure of how shallow our defenses are. How can you be sure that
the person you know hasn’t become infected? In fact, how can you be
sure that the person you know doesn’t want to zap you? Some companies
have solved the problem by prohibiting attachments and removing floppy
drives. In other words, they have solved the problem by losing the
capability. The solution is not in policies, but in technology. The
problem’s center of gravity is the operating system.
Security requires a complete re-engineering of the
operating system to permit rapid diagnosis through complete
transparency. It will not be easy to evolve Windows or NT in this
direction. It seems that officials may want to deal with this problem.
After all, the real threat from rogue states won’t be nuclear attack,
but cyber attack. Rogue states won’t launch nuclear attack for fear of
the counterattack. But how do we retaliate against a virus attack? We
depend on computers. They don’t.
(c) 2000 WNI, Inc.
http://www.stratfor.com