Click Here to Bring Down the Internet
by Bruce Schneier
The Internet is fragile, rickety. It is at the mercy of every hacker and cracker. In recent Congressional testimony, hackers from the L0pht boasted that they could bring down the Internet in under 30 minutes. Should we be concerned?
In almost every area, those with the expertise to build our social infrastructure also have the expertise to destroy it. Mark Loizeaux is President of Controlled Demolitions, Inc.; he blows up buildings for a living. He's quoted in the July 1997 Harper's Magazine: "We could drop every bridge in the United States in a couple of days.... I could drive a truck on the Verrazano Narrows Bridge and have a dirt bike on the back, drop that bridge, and I would get away. They would never stop me." Ask any doctor how to poison someone untraceably, and he can tell you. Ask someone who works in aircraft maintenance how to knock a 747 out of the sky, and he'll know. The Internet is no different.
Moreover, attacking a particular system or site is much easier. A burglar can break into any house, given enough time, skill, and budget. Myles Conner, famed art thief (currently in prison), said: There isn't a museum in the world that's invulnerable [to a true professional]" (Time, 17 Nov 97). Again, the Internet is no different.
The knowledge exists and the systems are vulnerable. All it takes is someone with just the right combination of skill and morals. Sometimes it doesn't even take that much skill. Timothy McVeigh did quite a number on the Oklahoma City Federal Building, even though his sloppy and excessive use of explosives probably disgusted a professional like Loizeaux. Sloppy and excessive Internet attacks can also be successful; it doesn't take a rocket scientist to realize that you can choke someone's e-mail server by subscribing him to every one of the thousands of Usenet mailing lists.
So at first glance the Internet is no different from any other critical piece of infrastructure: fragile and vulnerable. But the nature of the attacks are very different. McVeigh had to acquire the knowledge, go to a private farm and practice, rent the truck, fill it with explosives, drive to the federal building, set the fuse, and get away. For our doctor to poison someone or our aircraft maintainer to sabotage a 747, they have to get close to their target, put themselves at risk, get in, get away, leave evidence, make mistakes. And they all have to know what they are doing.
On the Internet, you can be far away from the site you are attacking. You can have no skill, just a software package downloaded from a hacker web site. You don't have to put yourself at risk. Ehud Tenenbaum, a.k.a. "The Analyzer," the Israeli hacker who wowed the world with his works against the Pentagon, didn't do anything new. He downloaded an existing tool to exploit an old security flaw that was patched years ago, and attacked a bunch of computers that never bothered to update their system. The real news is that the Pentagon doesn't bother installing free patches to protect its computers against published attacks.
Fear will always play a part in security, whether it is airline safety, terrorist countermeasures, or Internet security. But the real threats aren't from ethical hackers like the L0pht members, who uncover security holes and then announce their results so they get fixed. Nor are they from sophomoric hackers like the Analyzer, who download "warez" and run them without fully understanding what they are doing. The real threat is ignorance: in companies, in the media, in the public.
As the world begins to conduct business over the always-under-construction Internet, we need to understand the real threats to the system. We need to understand what levels of security are possible, even desirable. We need to fix security flaws when they become known, and not just give the problem lip service until the press coverage blows over. And we need to make sure critical systems have redundant backup plans.
The doomsday scenario is real: An ethical hacker discovers a security flaw, someone else writes a program that demonstrates it, someone else with less ethics modifies it, and someone with no ethics decides to use it in a way no one ever envisioned. Suddenly there's a web site that has a Java application: "Click here to bring down the Internet." It's not a pretty thought.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..