“We’re upgrading software all the time, too – not everything at once, but bit by bit, because that spreads the cost and labor out, and because new products and new versions of old products don’t all come out at the same time. Finally, all the hardware has a purchase date, and it all gets cycled out on a fixed schedule for reliability, budget, and obsolescence reasons. Once again, every time we change out something, we have to be sure that all of the security controls on the new gear are set up again the right way, or we’ve blown it. Unfortunately, it’s a whole lot easier to forget to do something than it is to realize it.”
“That still doesn’t tell me how a hacker knows when or where there’s an opportunity to strike.”
“Like I said, they don’t need to ‘know’ when there’s an opportunity. They just need to know what an opportunity looks like. Then they can design a ‘bot’ – an automatic robot program that can recognize the opportunity – that hammers away every nanosecond at our firewall, waiting for a momentary lapse. All it takes is for a port to be left unguarded for even a moment, or some other minor glitch – and the bad guy slips inside. Funny, I was just explaining all of this to my daughter the other day.”
To Frank’s surprise, Cummings looked suddenly uncomfortable. “So then why do everything the same way?” Cummings responded quickly.
“Ah, there’s the rub. Because firewalls aren’t like physical walls. Back at Langley, everybody probably has to pass through just one or two gates to access the grounds, and I’m sure those gates are manned night and day, whenever they’re open. And you’ve certainly got regular and infrared cameras watching the perimeter all the time, and motion detectors besides, and probably more spooky stuff, too, that I’ve never heard of. People are easy to detect in a half a dozen ways, so I’m sure you’d know in a heartbeat if a bad guy even tried to get in.
“Of course, people that want to come in through the gate have to show identification, and for other parts of your facility, they must have to do more than that – you probably use biometric scanners, for example. And all that data can be checked against all kinds of databases before you let them go farther. Once you do let them in, I expect you don’t let them out of your sight unless they work there. Maybe not even then, I wouldn’t be surprised. And after the U.S. anthrax attacks back in 2001, every piece of your mail must be scanned, and zapped with radiation, too.”
“Of course,” Cummings interrupted. “But what does that have to do with cybersecurity? You can’t put physical walls in front of data, and you can’t have a guard checking every email that’s sent to each one of your employees.”
“Of course not. But you can very much use exactly the same means in a metaphorical and technical sense – by designing virtual walls and gates, by automatically requesting and checking security credentials against databases, and by scanning attachments and links in email before they’re allowed to be opened.”
Cummings wasn’t interrupting, so Frank continued.
“Still, though, you can’t ‘see’ a computer program, and that does make it harder to keep things secure. And remember, I also said that everyone’s firewalls are getting hammered all the time. So returning to the physical world, think what your guards, cameras and motion detectors would be up against if instead of looking at wide, floodlit lawns outside your perimeter, there were thousands of people milling up against your fences day and night? How many guys would you need to keep sitting at computer monitors then, trying to figure out which were gardeners and which ones were enemy agents, especially if they’re all carrying garden shears?”
“But we’ve all got anti-virus software,” Cummings objected. “To use your metaphor, isn’t that supposed to be able to tell the gardeners from the spies?”
“Yes and no. There are lots of people trying 24/7 to pick out the bad guys from the gardeners – but when they do figure that out, it’s almost always after some – or maybe a whole lot – of systems have already been compromised. So while there are public lists of viruses, worms, and Trojans – we lump them all together and call them “malware” – somebody had to identify each one as bad stuff before they could put it on the list. If you’re in charge of security, you’ve got to keep checking that list all the time. And there may or may not yet be a fix you can download to protect yourself from everything on it.”
“Oh yes – and there’s this other big difference between the physical and the digital world. Unlike Langley, where I expect you only welcome in a limited number of carefully pre-cleared visitors a day, there’s this thingy they call the Internet. And oh boy, how we all love the Internet! We want data to be coming in and going out all the time, every day, day and night. So instead of being able to just check people at the Langley gate, it’s like we’ve got all four Metro lines going right through the CIA cafeteria.”
Frank was on a roll now, galloping away on his favorite hobbyhorse. “But wait – it gets worse. At least over at the CIA you’re a bunch of spooks, and you only talk about spooky stuff to other card-carrying spooks. I’m sure you compartmentalize information up and down the chain and keep things locked down tight. And I expect you’ve got at least one computer system that isn’t connected to the Internet at all, or anything else that is.”
“Okay! There’s your answer!” Carl interjected. “Just limit Internet access to just a few people, and cut off all the rest. Instead of having a small network that’s disconnected from the Internet and a big one that is connected, do it the other way around.” He looked pleased with himself.
“Theoretically, you could. But unfortunately, we’re all addicted to access – right up to the top brass, even though we know we probably shouldn’t be, at least until we get this cybersecurity problem nailed. We’re like kids in a candy store – we want to have the goodies now and worry about the cavities later, even though deep down inside we know we might lose all our teeth.”
Frank noticed that Carl was starting to look bored, so he tried a more graphic illustration.
“Let’s use the Pentagon as an example – how’s that for a place that needs to worry about cybersecurity? But no, they’re into ‘network centric operations’ now, big time. That means they want everything, everywhere, accessible on one big network to anyone with the right clearance. They want to link everyone from a grunt on a mountain trail in Afghanistan to the Chairman of the Joint Chiefs of Staff – and from a road side sensor to a missile silo, too. And until they replace it, everything’s hooked into the same Internet we use at home, so technically every hacker might be able to figure out a way to see and read everything the military can.”
“Yeah, but they can’t, right?” Cummings said, doing a bad job of hiding a yawn. “Otherwise, we wouldn’t keep doing what we do.”
“Oh no?” Frank replied, annoyed. “Did you see the story the other day about the Taliban intercepting the video from Predator and Reaper drones in Afghanistan, because the Army didn’t think a bunch of terrorists would be sophisticated enough to worry about? It turns out all Al-Qaeda had to do was buy some off-the-shelf software to hack their way in. And now the military says it won’t be able to encrypt the video for at least 18 months. How’s that for a case of candy and cavities?”
“So what do you do?” Cummings asked, checking his watch. Now Frank was getting annoyed. This guy just wasn’t getting it.
“Well, to stop that, we have to add an administrative layer to be sure that only the right people can see the right information. That means you have to identify and categorize all the data, and then assign a security level to it and access categories, and so on, and then you also have to credential everyone on the network with the appropriate rights to the appropriate data. But wait – you’re not done yet – because then you also have to supervise the matching of credentials with the exchange of only the right data. And did I mention you also have to figure out whether someone logging on is really who they say they are?”
Frank paused. Cummings looked up, as if he hadn’t been paying attention. Frank leaned forwa
rd and began to speak more emphatically. “Well, we do. So at the same time that you’re making it technically possible for everyone to have access to everything, you’re also trying to set all of these security conditions so that each person – out of millions of people with some degree of access – can see only what they’re meant to see. Of course, you want to be sure that they can’t change anything they’re not supposed to change, either, because that would be even worse. And remember: there are no armed guards at the security gates checking who gets through the firewall – just computer protocols and programs, all on autopilot. It’s all just software.”
“What’s wrong with protocols and programs?” Carl asked.
“Nothing, up to a point.” Frank replied. “For most commercial purposes, they’re good enough. Matter of fact, there’s a point at which you don’t want to make them better, because the cost becomes prohibitive, or it slows things down too much. At that point, businesses just try and keep them more or less up to date, and plug the gaps with insurance instead of security.
“So economically ‘good enough’ security is what we’ve gotten used to. Think about your credit cards – if someone steals your card and uses it, you don’t worry about it. The card company has a computer program that detects the over-use and shuts it down quickly. Yes, the bank may have already lost some money, but that’s built into their profit margin, so the customer doesn’t realize that he’s had to pay a thing. Yes, identity theft is a bigger deal for the person who’s hit, but it hasn’t happened to enough people – yet – to get Congress to intervene.”
“So what’s wrong with that?” Cummings asked. “That makes perfect sense to me. Why pay for more protection than you need? Credit card costs are already too high.”
“What’s wrong is that a lot of things, like national security, aren’t like credit card information. Say we’re talking instead about the Pentagon, or a nuclear power plant, or a Presidential election. You can’t buy enough insurance to cover the consequence of someone hacking a missile silo, or a nuclear reactor. And insurance couldn’t compensate at all for corrupting the servers tabulating a swing state election, could it?”
Cummings leaned back and folded his arms. “Well, I’m not buying it. I can’t believe the Pentagon, the President and everyone else is just looking the other way while we go to hell in a cybersecurity hand basket. You must be overstating the problem.”
Frank snorted. “Haven’t you been listening? We haven’t even begun to address cyber-security. What we need to do is get creative – come up with ways to trick the bad guys while still letting the data get through that we want to get through. But instead, we just keep trying to build stronger virtual walls, and forget that we still can’t see the bad guys, or even all the chinks in the walls.”
Cummings had long ago quit taking notes. He sat there quietly, letting Frank run on as he picked up speed.
“When you get down to it, as long as we keep doing things the way we’re doing them now, we’re just kidding ourselves thinking we’ve got any cybersecurity at all. It’s like Homeland Security, which is a total joke, only worse. And how can you be worse than Homeland Security? It’s now almost ten years since 9/11, and we’re still only scanning half the baggage that goes into the holds of passenger planes!”
“But it is worse, because if the worst happened, you might not even know your system has been compromised. So it can keep right on happening! The whole damn thing’s a fraud, really – it’s the electronic equivalent of the Emperor’s new clothes. Except this time, instead of a little kid asking an awkward question, it could be a terrorist, or North Korea, and they’re not going to tell anyone. If something doesn’t happen to make us wake up soon, it could be a very big bang that finally does!”
Frank paused for effect, and then stopped short. What happened to just answering questions and telling the news?
Cummings looked pleased. “Thanks, Frank,” he said pleasantly. “That was extremely helpful. I confess that I don’t know as much about computer systems as I wish I did; that was very educational.”
Frank looked at Cummings warily; he’d said a lot more than he needed or wanted to.
“So, are we done? I’ve got a stack of work on my desk that isn’t getting done on its own.”
“Almost done. There’s just one last thing you could help me with. I haven’t asked the others about this, but since you seem to understand the hacker mentality so well, you might be able to provide some useful insights. Back at the office some of our folks have been putting together a profile of whoever might be behind this Alexandria Project exploit. Mind if I show it to you?”
Frank sat up straighter; this was the first time Cummings had been upfront about the Alexandria Project being a serious matter. Frank realized that he still had the thumb drive in his hand, and jammed it into his pocket.
“Okay, sure.”
Cummings pulled a sheet of paper out of his briefcase and slid it across the table. Frank gingerly pulled it the rest of the way across and began to read:
Case File: CSIU –LoC – CXFG – 7
Suspect Profile
Date: December 15, 2011
Event analysis: Exploits do not appear to be economically motivated, and are clearly meant to be discovered. Person responsible is therefore trying to make one or more points. Possibilities include the inadequacy of LoC security and/or its security staff. Because the exploit is ongoing, the person responsible is demonstrating, and likely reveling in, his self-perceived superiority over those that he knows are trying to track him down.
Identity:
- Gender: Male
- Age: 35 – 50
- Occupation: On staff IT professional
Psychological profile: Suspect will have a very high IQ, be well-educated, and creative. He will have a history of rebellion and lack of respect for authority, and be overly impressed with his own talents. He will have a low opinion of those who he thinks are incapable of thinking outside the box, including his superiors and his co-workers, and will not conform well to normal job expectations. He will likely have held many jobs, and few for very long. Suspect’s personality will have rendered him socially isolated at a young age, and a loner throughout adulthood. He will have formed few close connections with his coworkers.
Motivation: Suspect resents his lack of traditional success, and particularly the successes of those he believes are his intellectual inferiors. He is likely to be obsessed with security issues, and convinced that only he truly understands the danger they present. He will also believe his vindictive attacks are heroic acts that only he can perform. The attacks have likely been triggered by a specific act or event that offended suspect’s sense of self worth (e.g., the promotion of a co-worker).
Reviewed by: GLM, CRC, FHR
Frank was careful not to appear concerned when he glanced up, but Cummings was looking at him with a faint smile.
“So what do you think, Frank? Does that profile hold water? Does it sound like anyone we should be checking out?”
Frank felt clammy inside his clothes. “I can understand how this might make sense to you,” he said finally.
“Good!” Cummings said, turning the recorder off with a click. “That’s very helpful, coming from someone with your, how should I phrase it – ah yes – your background and skills.”
Frank sat stock still, trying to remember every word he’d said during his ten-minute tirade.
“I’ve got just one last question, then. Will you be home this evening?” Frank nodded, surprised.
“Good.” Agent Cummings said, snapping his briefcase shut. “I’ll stop by around 7:00 PM to pick up your passport.”
* * *
7
What a Difference a Day (and a Decision Tree) Makes
Frank struggled to organize his thoughts as he left the fiasco of an ”interview” he’d just endured. Time to be logical, not emotional, or he just might find himself in jail. Yes, that’s what he’d need to do.
Though the though
t of jail was unsettling, the concept of logic was comforting. His current situation wasn’t really different from any other challenge he dealt with at work, he told himself. All he had to do was break the problem up into a set of questions, and then answer them, right? The answers generated by his “decision tree” (in programming parlance), would tell him what to do.
So what question should he start off with, he asked himself as he sat down in his cubicle? Well, the first logic “gate” appeared to be whether Cummings really thought Frank was the culprit. Frank took out a pad of paper, turned it sideways, and wrote “Am I under suspicion?” on the left. Then he added two lines, one slanting up and one slanting down to the right of his question. Next to the “up” line he wrote “no,” and “yes” next to the down line.
If the answer to this first question was no, then Frank would have already reached the end of his decision tree, and could relax. But if the answer was yes, then he had more work to do. Frank weighed the possibility that Carl was jerking everyone around, and not just him. Negative, Frank decided. Everyone else thought the disappearing documents were part of a test, not a real exploit, and George would want Carl to keep it that way.
So that means I’m in trouble, Frank told himself. See? I’m making progress already, he added wryly.
He forced himself to focus. What should the next question be? He decided it should be whether he should do something to influence the outcome, or not. He added two more slanted lines. “No” meant just getting back to work. That, and trying harder not to do anything stupid.
The Alexandria Project: A Tale of Treachery and Technology (Frank Adversego Thrillers Book 1) Page 7