That's the premise of a new book, No Outward Sign, by longtime cybersecuritystrategist and consultant Bill Neugent. Of course, in the world Neugent has created, thehero is a 'cyber vigilante' and he falls in love with a beautiful FBI agent. And of course,American companies aren't really under attack.
Or are they?
Neugent says people shouldn't be so sure. The author's day job is chief engineer for cybersecurity for The Mitre Corporation, a high-tech consulting firm for the federal government,and he says he wrote the book to offer up a warning -- a warning of possible things to come.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i In an interview with eSecurityPlanet, Neugent says virus writers are actually aGod-send, and adds that we're far more vulnerable than most people believe. He also sayswe're in a security 'arms race' and right now, the good guys aren't doing so well. But thatcould all change too.
Q: Bill, you're a real security guy -- an expert. Why write fiction instead of ahow-to?
I have the bug -- the writing bug. I thought I would write the novel I've been wanting towrite and also do a public service by showing how it feels from an insider's view to beunder attack. I wanted to draw attention to the kind of vulnerabilities that we've beenexperiencing recently with worms and blackouts. I got a lot of calls during the blackoutwith people asking if my publicist arrange it.
Q: What is the message that you're trying to put out there?
My message is that we're naked in cyber space... I have a lot of guys who work with me andif they wanted to, they could write a destructive worm that would have catastrophic effectsacross the world. There's no defense against that. No defense. No defense. It would be easy.They could use a Zero Day flaw. Or as soon as the patch is announced, they could write aworm within a day or two. Without having done anything particularly hard or creative, theycould cause a lot of destruction. None of the worms we've been dealing with have beenparticularly bad.
Q: Recent worms and viruses have caused a lot of damage. How could they not bebad?
They could be a lot more damaging than they've been. The hackers who've written these wormsand viruses have done us a wonderful service. Every time they do that, they raise thesecurity bar on what vendors need to do to provide normal business-grade security. It's notus calling for it. It's hackers writing worms and viruses that have raised that bar forsecurity. Thanks to hackers, we're better protected against organized crime and foreignnation states that want to harm us.
Q: How vulnerable are we today?
Highly. Nation states right now can build that malicious worm. They don't because why wouldthey kill the cow they're milking so successfully. It's really easy for them to break in.Our own government red teamers succeed in breaking in every single time. If our guys, usingInternet-grade tools, could do that, an adversary could do the same. But they don't becauseour networks are more valuable to them up than down.
Q: Why is that?
Hackers like to own systems so they can launch attacks against other sites. Organized crimeis wonderfully successful stealing money over the Internet. Look at identity theft. TheFederal Trade Commission says it's the number one complaint from consumers. Identity theftis a huge, huge problem. Criminals all over the world are stealing money so they want allthese networks up.
Q: But there obviously are countries and terrorist groups that would love to damage ourinfrastructure. How much of a threat is that really?
There's a lot of reported evidence of terrorists studying cyber terrorism. A couple ofmonths ago, the FBI arrested a student at the University of Idaho. He had alleged Al Qaedaties and he was getting his Ph.D. in cybersecurity. It means that cyber terrorism is not atthe top of the terrorist job jar but it's in the job jar. It's not their priority butthey're working it. They haven't gotten to the point where they're an active force but it'sjust a matter of time.
Q: What do you think IT managers should be focusing on?
Automatic patching or as close to that as possible. For critical patches, their installationmust not be dependent on users. That's absolutely fundamental. It's a critical part of ourinfrastructure that we have not had.
Q: What kind of coming attacks are worrying you the most? Are you expecting bigger andmore destructive worms? Are you looking for a direct terrorist attack?
It's hard to predict the future. What I expect is terrorists to finally get some traction inthis domain and launch attacks. They won't cause a digital Armageddon. It'll be serious butlimited damage. It'll be done along with physical terrorism. They might blow up a bridge andthen launch a cyber attack on the 911 system so people can't call for help.
Q: Are American businesses safer now than they were six months ago or even two yearsago?
That's a tough one. Losses are greater now. That's proof that maybe we're not so safe. Iexpect that in two to three years, especially as Microsoft's investments start to pay off,we'll see substantial improvements in cybersecurity. But the number of vulnerabilities havebeen doubling every year and the number of attacks has been increasing at at least thatrate. Our security is better, but we're no safer. It's an arms race and the bad guys areadvancing as well as the good guys.
Q: Who's winning the race?
I think we're losing a number of battles right now. For right now, I think the bad guys arewinning. They're getting money. They're getting information. If they really wanted to launchthe destructive malicious worm, it would be devastating. They haven't yet, but they'recapable of doing that.