[Fair Use: For Education and Research Purpose Only] 03/09/00- Updated 10:07 AM ET

Asleep at the switch? How the government failed to stop the world's worst Internet attack

By M.J. Zuckerman, USA TODAY

Susan Levy Haskell arrived at her office at the University of Minnesota as usual before 8 a.m. on Monday, Aug. 16, 1999, where she watched at first curiously, then later in horror, as the university computer system came under attack from a massive yet anonymous Internet adversary.

From our archive: Special report on Web security

Talk about Internet security

Haskell, the university's computer security coordinator, says that as hours passed the volume of incoming malicious traffic rose from a mere annoyance to an all-consuming electronic dissonance. The Internet connection grew ever less responsive, degrading steadily until the university was cut off from the world.

"It became pretty terrifying to realize how many machines had to be involved. It seemed like hundreds."

Investigators later determined that 2,200 computer systems, including those at more than 30 universities in the United States, had become unwitting "zombies," serving a still unidentified master computer, which directed the attacks and forced the university off the Internet for two days.

In a matter of weeks after the Minnesota incident, academics and elite computer security firms began spreading the word to clients and colleagues that this newly enhanced "denial of service" (DoS) attack was a clear and immediate danger to the Internet.

But it would take more than a month before federal officials at the National Infrastructure Protection Center (NIPC), which is responsible for national computer security matters, to learn of the incident and three more months for them to conclude that it was a threat worthy of a warning to the public.

It is now apparent that throughout the end of 1999, cybervandals were infecting large, insufficiently secured computer systems as zombies and laying the groundwork for a series of attacks last month that rocked e-commerce.

The delayed response and limited distribution of threat information is one of several criticisms being leveled at the NIPC and its sister agencies as the investigation into the attacks progresses slowly, according to recent congressional testimony.

"It was not enough," says Jamie Gorelick, the former deputy attorney general, who from 1994 to 1997 directed the administration's creation of the current electronic defense policy.

She and others say the protection center failed, leaving many e-commerce firms unprepared for the attacks Feb. 8-11 that slowed the global Internet by 20% and shut down the world's most popular commercial Web sites and the FBI's home page.

"There needs to be some agile operational capacity in the government, an ability to move quickly to provide warnings," she says. "This doesn't sound at all like what we had in mind."

Michael Vatis, director of the NIPC, an interagency fusion of federal, local and international organizations based at the FBI, defends his agency's response. It says it permitted the private sector to prepare for the worst while avoiding public hysteria.

"Three years ago we wouldn't have been able to respond at all," Vatis says. "Today we have an effective resource" for investigating crimes and issuing threat alerts.

Critics say the protection center and its sister agencies have fallen short of the vision President Clinton had two years ago when he issued a plan to "create a genuine public-private partnership to protect America in the 21st century" from devastating cyberattacks. The plan called for the private sector, which owns and operates both the Internet and the infrastructure that supports it -- electricity, banking and communications -- to create secure information-sharing centers in which companies could anonymously share threat information, new vulnerabilities and crises data. It also created a Commerce Department coordinating center to work with those industry clearinghouses and the NIPC.

But as the administration seeks $37 million in new spending for cybersecurity, the NIPC and its sister agencies are troubled by confusion within their own ranks as well as a lack of cooperation from companies and other government agencies:

Other government agencies are refusing to work with the NIPC, privately pointing to the FBI's longstanding reputation for not sharing well with others. "That's something we're still working on," Vatis says.

The Pentagon is the only Cabinet-level agency represented at the NIPC. The Secret Service, Transportation Department and Treasury Department, each of which is designated to have representation at the protection center, refuse to take part. The Department of Energy, which is supposed to play a major role at the center, is not represented. The CIA, which has four slots at the center, has filled one.

Friction and turf battles between the new cyber-security agencies may be hampering operations. The National Coordinator for infrastructure protection and counterterrorism is Richard Clarke, a White House official, who must get clearance on a case-by-case basis before the NIPC will brief him about investigations.

Vatis says Justice Department guidelines bar the FBI from briefing anyone outside the department about ongoing cases unless the attorney general grants a waiver.

The Internet community is demanding broader distribution of more timely threat information, beyond the security professionals with whom the NIPC typically deals. "If you are only spreading the word to specialists, then you are not getting threat information out across the board to small universities or e-tailers," says Harris Miller of the Information Technology Association of America, a leading trade association representing 11,000 corporations.

Though some companies are warming to the idea of sharing information with the government, many complain that they remain uneasy about government efforts to police the Internet.

"Where (the federal government) is completely failing is to be a place people trust" with delicate information, says Alan Pallar of the SANS Institute, an education facility for computer system administrators that claims 100,000 members. "Ninety-eight percent of the time they won't share with the FBI because they fear having their (computers) confiscated, that their troubles will become public knowledge and that the agents will scare (clients) to death."

The president's plan has created so many entities gathering data on Internet vulnerabilities that it is causing confusion. "Imagine living in a community where there are seven different numbers to call for 911 services," says Mark Rasch, chief counsel to Global Integrity, a leading cybersecurity firm that hosts the financial industry's information sharing center. "You need to have one number, one place, that everyone trusts."

Adds Tom Noonan, CEO of Internet Security Systems, probably the fastest-growing firm in its field and a major booster of the NIPC: "Quite frankly, I'm confused by all these different government groups."

Word spreads slowly

In the days after the University of Minnesota attack, Haskell says her 911 instinct was to notify academic colleagues or other trusted computer professionals.

One of those she contacted was David Dittrich, director of software engineering at the University of Washington in Seattle. He became the first person to track down and unlock the codes that make the attacks operate.

It was a matter of days before he realized the new attack technique required immediate action. But the wheels of government turn slowly.

Dittrich first alerted CERT, the Computer Emergency Response Team at Carnegie-Mellon University, the nation's premier clearinghouse for data on computer vulnerability. By early September, it began organizing an unprecedented international conference to examine the emerging threat.

Based on CERT's letters of invitation to the conference, a handful of high-end security firms learned of the attack technique, and in October and November the firms quietly briefed clients about the impending threat.

Though the NIPC is a sponsor of CERT and has a liaison for the emergency response team on its staff, it received its first substantial report from CERT in late October. The response team has declined to comment on the apparent delay.

The three-day CERT conference in early November adjourned with this determination: "There is essentially nothing a site can do with currently available technology to prevent becoming a victim" of a denial-of-service attack.

The only prevention, the conferees said, was for system operators to update their security precautions to prevent vandals from exploiting known system weaknesses to gain control of their computers as attack "zombies."

On Dec. 8, the NIPC sent a note briefing FBI Director Louis Freeh for the first time. On Dec. 17, Vatis personally briefed Attorney General Janet Reno as part of an overview of preparations being made for Y2K.

By that point, several DoS attacks already had occurred, but "people weren't getting the message," Dittrich says. "CERT and NIPC were really worried. They had obviously been hearing about a lot more intrusions. They went back and recategorized a whole bunch of incident reports going back to April-May time frame, and they started telling me that this is a really big thing."

But not until the NIPC, working with Dittrich and Mitre Corp., developed a tool for identifying zombies in a system did the protection center decide to warn the public Dec. 30 and post the tool for anyone to download.

By that time, Vatis says, "someone was setting the groundwork for an attack, and that is when we decided to make a public announcement."

Electronic 'night of the living dead'

The NIPC was convinced that New Year's Eve "could be a day for people to start sending marching orders to these zombies. We were afraid that Dec. 31 might become the night of the living dead," he says.

"Thanks for giving us plenty of time to prepare," says a sarcastic Vinton Cerf, an MCI WorldCom executive who is widely regarded as a founder of the Internet. "The timing of this all was singularly unfortunate."

But the protection center gets high praise from many security firms for being the first to provide an effective tool to locate and remove the zombie infections. Vatis says far more damage would have occurred in February otherwise.

"You know, I'm sensing a little bit of doublespeak here," Vatis says. "Business is saying, 'We don't want the government telling us what to do; we can fix this ourselves.' And I agree. But then I hear people saying, 'Gosh, government didn't warn us loud enough.' "

"People have been saying for a long time that it's going to take an electronic Pearl Harbor for people to take security seriously," he says. "There's a kernel of truth there because we live in an event-driven society."

http://www.usatoday.com/life/cyber/tech/cth523.htm

-- Martin Thompson (mthom1927@aol.com), March 10, 2000