Worm: The First Digital World War
Page 16
When he got to Washington, Rodney initially contacted a friend at the Commerce Department who worked on Critical Infrastructure Protection for the National Telecommunications and Information Administration, which advised the president of the United States on Internet issues. Rodney called his friend at home on Sunday evening, March 8, outlined what was happening, and sought his advice on how best to approach the Commerce Department about this new threat.
This was Rodney’s best foot-in-the-door for the massive federal bureaucracy, because he had a legitimate duty to brief the agency. Neustar’s contract for administering .us was with the Commerce Department. So Rodney asked for a chance to present the challenge now faced by the directory, and then, for background, told his friend all about the worm, and the new strain in particular. It was the first time the official had heard about Conficker, which was a little alarming to Rodney—but he apparently grasped its significance immediately. He said he would call right back, and less than an hour later, Rodney’s phone rang.
“Can you be at the Department of Commerce tomorrow morning at eight for a briefing in the chief information officer’s (CIO) office?” his friend asked. He wanted Rodney to brief a variety of officials not just about the threat to .us, but about Conficker as a whole.
Rodney put together a PowerPoint presentation in his hotel room that night. He had packed one white shirt for the trip, for a meeting on Tuesday at which, to his chagrin, he would feel obliged to wear a suit. He broke out the shirt early Monday morning and reported punctually to the monumental, six-story, Doric-columned, gray stone Herbert C. Hoover Office Building, a structure that has stood on the entire 1400 block of Constitution Avenue for more than seventy years as a massive symbol of prosperity, the granite fortress of American commerce.
Shortly after eight o’clock Rodney was standing before a roomful of Commerce officials. Among those in attendance that morning was an attorney with a background in Internet issues who had been working on a sixty-day review of cyber issues for the newly inaugurated President Barack Obama. As Rodney began to launch into his presentation, firing up his PowerPoint display, one of the officials asked, “Didn’t we already have this briefing?”
There was momentary confusion, and alarm. One does not convene the grandly important and extremely busy pooh-bahs of American prosperity for a briefing they have already received. Rodney’s friend had a few bad moments here. It seems that someone from the U.S. Computer Emergency Readi ness Team (U.S. CERT), the agency charged with protecting federal computer systems, had met with most of this very Commerce Department crowd in the previous week for “an urgent briefing.” Material from that session was hastily found and presented to Rodney, who saw, to his surprise, that last week’s urgent briefing had concerned Conficker B, which had appeared more than two months earlier. Apparently the alarm sounded by Rick Wesson in early January in his “note from the trenches” was still getting the classic bureaucratic slo-mo treatment, inching its way from department to department. It confirmed Rodney’s already poor opinion of U.S. CERT.
Well, folks, if that briefing last week scared you, and it should have, you might want to tighten your seatbelts . . .
Rodney went ahead with his presentation about Conficker C, pointing out the seemingly insurmountable challenge the Cabal now faced in protecting the Internet. When he had finished, the room was quiet. One of the officials asked Rodney if he was free to give the same presentation at one o’clock that afternoon at FBI headquarters, where U.S. CERT held a meeting about current high-level threats every other Monday. Rodney said he would have to move some things around on his schedule, but that this sounded like the kind of occasion that warranted it. The same official then left the room, and returned moments later to confirm that he had spoken to one of the deputy U.S. CERT directors, and obtained permission for Rodney to attend.
The meeting in question was a classified briefing about cyberthreats, run by U.S. CERT Director Mischel Kwon. Usually the computer security chiefs of various vital government agencies attended. Rodney left the Hoover building and went back to his Neustar offices. He knew Kwon; he had met her on several occasions. He did not want to ambush her, or show her up, given the fact that her agency seemed so far behind on the threat. He had tried to contact her several times in the previous months, but had been ignored. Still, as a courtesy, he tried again. He sent her an email, saying that he would be seeing her at the briefing in a few hours, and quickly summarizing his presentation. He closed by offering to talk to her beforehand if she wished.
Kwon responded six minutes later.
“Rodney, I appreciate your update. I must tell you that the one o’clock meeting is for government only. The only nongovernment allowed are contractors under contract directly supporting the government. Am I to understand that you will be briefing prior to the meeting? Please do know there has been a misunderstanding.”
She copied the email to a number of others, among them the deputy who had authorized Rodney’s attendance.
Rodney wrote back that there had been no misunderstanding, that he had been asked to brief people at the meeting at one o’clock. He was also, in fact, a contractor directly supporting the government, but he did not wish to split hairs.
“Let me know if I should cancel coming over,” he wrote.
Moments later, an email flashed on Rodney’s screen from the deputy who had approved the session, mailed to him and a large number of others, including Kwon. It read, simply: “He can brief at the meeting.”
Rodney was startled. After all, this was supposed to be Kwon’s deputy. He surmised that the Commerce Department official who had spoken to the deputy earlier must have complained about hearing of the new Conficker variant from Rodney, a civilian, a naturalized citizen with a foreign accent to boot, instead of from the agency charged with responsibility for such things. Rodney could imagine how that conversation must have gone: You mean to tell me you jackasses have no bloody idea this is happening? He sensed serious trouble in Kwon’s kingdom—indeed, she would resign five months later.
He sent her another message:
“Hey, I really don’t want to cause problems for you. Really, I apologize if I did. I wanted to give you a heads-up. You don’t want me to come, let me know.”
Kwon fell silent. She did not respond, nor did she attend the one o’clock meeting. Rodney walked into an enormous conference room at FBI headquarters and was led to a lectern. He faced scores of officials, none of whom he recognized except for the attorney reviewing these matters for Obama, who had been at the morning briefing at Commerce. All wore security lanyards with their plastic ID prominently displayed, a totem in Washington’s security-obsessed culture, demarcating privileged access and high security clearances. But there were no names on the dangling plastic. He saw every agency acronym he had heard of—FBI, SS, DOD, FAA, FCC, DOJ, NSA, CIA—and many he had not. Curiously, no one in the room introduced him or herself. Just as with the Cabal’s dealings with the feds throughout, for these people information flowed in only one direction. They get your name; you don’t get theirs. Rodney had brought along a USB thumb drive with his presentation, and a laptop of his own, because he knew the government had banned the use of thumb drives the previous year—a rule dating back to the fiasco of the thumb drives in the Pentagon parking lot. But instead one of the men took the drive and plugged it right into a laptop at the lectern.
Rodney laughed.
“What?” asked the man.
“I’ll get to it,” said Rodney.
He gave a condensed version of the presentation he had given that morning. He saw the officials in the room exchanging startled looks and shrugs with each other—Did you know about this? I haven’t heard a thing! He told them how the botmaster had been upping his game, outmaneuvering the Cabal for months. He did his best, as Rick had done almost two months earlier, to describe the scope of the threat. He mentioned the thumb-drive issue, an infection vector ever since Conficker B, and explained his earlier laughter—his astonishme
nt that DHS itself had evidently ignored the widely touted ban. He had been allotted fifteen minutes for his talk, and an hour later he was still at the lectern answering questions, explaining. The concern and surprise of the officials were evident. Rodney did his best not to throw U.S. CERT under the bus . . . but he could see why Kwon had tried to head off this briefing, and then had skipped it. It was embarrassing. A small group followed him out of the room when he was finished.
Rodney asked them who they were.
“I’m from the FAA,” said one.
“I hope I wasn’t boring you,” said Rodney.
“No. I’m on my way back to Kansas City. We have an issue.”
When he got back to Neustar, there were messages from several Congressional offices, asking that he come to the Hill to brief this or that senator or representative. He went right out and bought another white shirt, because clearly he was going to have a few more reasons to dress up this week.
In the Congressional Office Building the next day, between meetings, he received a message from one the attendees of the Monday afternoon briefing, double-checking some of the details in the PowerPoint presentation. Rodney just emailed it to him from his thumb drive. One of his assistants came to him later that day and told him he had received a phone call from a contact at U.S. CERT, asking questions about Conficker. It seems the agency had been tasked to make a presentation on the worm at the White House that day. The assistant had referred him to Rodney, and the contact had responded, “We’re not allowed to talk to him.” So Kwon had apparently taken umbrage at Rodney’s big show. But he clearly now had the feds’ attention.
“People seem to be finally getting that this is not a joke,” Rodney told his assistant.
The following day he was asked to brief the staff of the Senate Select Committee on Intelligence. Because the committee’s offices were off-limits to those without a high security clearance, the staff arranged to meet with Rodney in the Visitors Center of the Capitol Building, in the cafeteria. About a dozen staffers met him there in the middle of the afternoon. The cafeteria was quiet and mostly empty. They cordoned off a portion of the big room with portable dividers, and sat around a long table. Before Rodney got started, one of the staffers, a young woman, interrupted him.
“Just so you know,” she said, “We probably know a whole lot more about Conficker than you do. We received a classified briefing yesterday afternoon,” the woman said. “So there’s probably not much more you can tell us about this.”
“That’s really good news,” said Rodney, his voice heavy with sarcasm. By now he knew without a doubt how clueless the establishment was. The woman’s arrogance annoyed him. He started collecting his notes.
“Since you have matters completely under control,” he said, “then there’s no reason for me to be wasting any more of your time.”
As he stood, there was a chorus of nos.
“Stay,” protested one of the staffers.
“We want to hear it,” said another.
So Rodney sat back down. He took out copies of his PowerPoint presentation, which had been printed up on Neustar stationary. He handed them out around the table. The woman who had addressed him flipped through her copy and pronounced, “Yep, this is the same presentation we saw at the classified White House briefing yesterday.”
The meeting dissolved into laughter when the staffers realized that U.S. CERT had simply taken Rodney’s briefing and presented it at the White House as their own work—and classified it, to boot! Rodney later confirmed it with his White House contact, who had attended all three of the sessions—“They just gave yours as their own,” the contact said. So much for vaunted federal cyberdefenses.
This was hard work, this laboring to rouse the great slumbering giant of the U.S. government, trying to enlist its vast resources in the fight. He had been successful, to a point. That Thursday, T.J. passed along a request to add eight U.S. CERT officials to the List.
So Rodney was stung, after this weeklong uphill slog, to find himself being sniped at by some in his own ranks. No one from the Cabal itself, at least not directly, but word of Rodney’s briefings in Washington had spread far and wide in the Geek Tribe, as the administrators and staffers at his briefings reached out to their own trusted sources, to their own security experts, asking: Who is this guy? Are these things he’s telling us true? Is this Conficker worm as dangerous as he says it is? If so, why haven’t we heard about this from you? And at least some received answers—no doubt in some cases covering their own ass—that this Rodney Joffe fellow . . . may . . . have . . . exaggerated the danger. After all, the worm had done nothing yet. Some were far enough out of the loop that they still clung to the grad-student-stunt theory, à la the Morris Worm, which had gone out the window with Conficker B. No one who really knew the worm was making this claim, but people on the fringes, people worried that crying wolf in Washington might give the Tribe itself a bad name, feared that their own credibility might suffer by professional association. There were suggestions that Rodney, beating his drum so loudly, might have been puffing himself up.
This was—there is no other word for it—insulting. Rodney was a bona fide Internet pioneer. He had practically invented the techniques of e-marketing and e-commerce, and had gone on to invent the content distribution and load balancing technology that was utilized by ISPs all over the world. He wasn’t some ivory tower visionary, either; he was a successful businessman. With regard to divining where this marvelous technology was going, and assessing its strengths and its weaknesses, there were few people in the world who could match his record, who saw the whole thing so clearly. Who better to sound the alarm? Who better to quantify the risk?
Very early on Saturday morning, still in Washington, Rodney responded passionately and at length to his critics, posting a letter to everyone on the List. It was a forceful broadside, an argument for the importance of the effort, a defense of his own efforts in Washington, a challenge, and a rallying cry. If they were going to beat this thing, they had to stop undercutting themselves.
It led to a remarkable exchange:
Gentlemen,
Based on some off-line discussion and comments, as well as the reported discomfort of some of you on the List with my activities this week, I’d like to confront the elephant in the room. . . . The problem with Conficker is not Conficker.
Since the beginning of “the Cabal,” we have all been focused on the tactical issues of responding to it. Each of us in our way, and based on our own agendas. MS [Microsoft] because the initial hole was in the OS [Operating System], as well as the fact that ongoing infections and spread occurs with Windows users. Symantec and Kaspersky because the worm is a bastard to deal with and they make software that has to deal with it. Me, and the other registry operators because it uses our resources for C&C [command and control]. Registrars because C&C domains get registered through them. ISPs because they provide the transport and their customers are affected. Researchers because they see it and analyze it. Some of us (you) play multiple roles.
But none of us has really dealt with why this is bad stuff. Conficker has been relatively harmless so far, as far as we know. And as I was asked and admitted repeatedly as I rang the bells in Washington, we have no evidence that it has [been] or will be used maliciously. Some on this list have posited that it may just be an experiment that was wildly successful, or perhaps a group of coders proving they can write good code.
I was a reserve police officer in Los Angeles for 20 years. I learned that there is real crime in the world. And that some people are just plain evil (well, I knew that from before, but only through the lessons of history—working the streets of LA gave me firsthand experience at how common it was). Working a homicide scene shows you how even 2-bit gang bangers can be truly evil given half a chance.
So I say “b*llsh*t.” This isn’t a game. Looking at this list, every one of you has been the victim of a 6/20/11 DDoS. You’ve all dealt with spam. I know that most of you have been pwned, and ha
d your keystrokes logged or traffic sniffed by malware. And at least one of you has been on the receiving end of extortion. So you know better. You know what a botnet can do. A small one. . . . We all know that a botnet of Conficker’s size is an effing lethal weapon in the wrong hands.
Well, who do you think the wrong hands are?
I have been accused of spreading fud in Washington. Of making a bigger thing of this than it is. So I want a discussion here and now to deal with this once and for all. Otherwise pfffffft to you. You’re taking your employer’s money or the taxpayer’s money under false pretenses.
This is also not about PR. I have not had a single conversation that wasn’t covered by some sort of requirement of confidentiality. The only conversations I have had are with one of you, or a government official who serves in some or other form as a specialist in security, or a legislator or staffer with TS [top security] clearance or better on a committee that has Cybersecurity under its purview. And I have not shared a single piece of information without first asking the source or author of that piece of information for permission. Period.
I have refused to allow any of our [Neustar’s] employees to even take a call from the press. And I have no intention of doing so until this group reaches consensus that we need to.
Now back to the discussion.
Conficker hasn’t caused any damage. It doesn’t slow its hosts down. It hasn’t eaten bandwidth. And it certainly hasn’t caused me any load problems.
But what if it does?
What happens to the net in general if each of the infected hosts sends just one other infected host 20KB/s of traffic a second, all at the same time? Or makes just one 50KB web post every few seconds, to a mixture of Yahoo, CNN, Google, Hotmail and other well connected sites. Given the nice maps you have, most of the world’s networks will collapse. Some of them just because they’re in the path. I don’t care who you are. Certainly all of the tier-2 networks would fall over. . . .