Information is a hot commodity, and nations must defend their networks as vigilantly as their borders

Maginot Lines of code:
infowar, infocrime, and data defense

Alex Kirtland

Thievery has been around forever. In the history of mankind people have stolen chickens, horses, BMWs, paintings, bodies, and bread. Before that, when apes ran the Earth, it was probably bananas. And always -- always -- people have stolen money.

But these days people steal information. It is versatile. It can be sold, exchanged for other information, used for bribery or blackmail, traded, leaked, suppressed, and so much more. It comes in a convenient size, too -- easy to carry, and once you have it, virtually no one can take it away from you. But you have to know how to steal it, and nothing lends itself to the theft of information better than computers and the networks we use to connect them.

When it comes to thinking about "infocrime," as theft over computer networks is known, Alfred Aho, former head of Columbia's computer science department, becomes philosophical. "Evil hasn't disappeared just because we've entered the information age," he says. "There's human nature at play in this. Theft has always been around, and people will always steal."

Aho spends a lot of time thinking about electronic commerce and the protection of individual property. "When you move lots of money there is opportunity for mischief," he says. Now that people move money and information in an electronic form, it becomes more important to think about ways to protect it.

While Paul Clayton, head of the medical informatics department at Columbia and director of clinical information services at Presbyterian Hospital, is less concerned with moving money than with protecting large amounts of medical information about thousands of patients, the problem is essentially the same: "Our challenge is to protect the integrity of the database and make sure people who shouldn't see your data don't."

How do we protect ourselves? "Safe computing," says Clayton, removes 80 percent of the risk. "We should focus our attention on simple, straightforward things," like changing one's password every six months; these go a long way in protecting our resources and our privacy from information thieves.

In the real world, hacking and theft of information can take all forms. Just as there are some people who will only steal your lighter and others who will try to rob Fort Knox, thieves vary in their vision of what they should steal, what they should not, and how to do it. Alan Crosswell, manager of Academic Computing Systems (the office operating Columbia's CUNIX servers), says, "We see a lot of hacking." Most of it, though, consists of sophomoric pranks. "A lot of time is spent dealing with this petty hacking," of which there are four general varieties: to get superuser status, to deny other people service, to destroy files, and to get account space on servers. But the most important reason the hacking is petty is because of the type of information on the servers. "We don't have any trade secrets," Crosswell says. "What do we have here that people want?"

But Citibank has something people want, and lots of it. Colin Crook, former senior technology officer of Citibank Corp., has encountered infocrime many times. In the summer of 1994 Citibank discovered that someone was hacking its network and stealing money. Bank officials alerted the FBI, who asked Citibank to let the perpetrator steal a little more; $10 million later, the FBI and Citibank had enough evidence to catch a Russian hacker. They were able to recall all but $400,000; no customers lost money. In response to this incident, Crook says, "We've reacted. We've over-reacted. And it's been the right thing to do."

Could we face a "digital Pearl Harbor"?

Warfare, as old as theft and another unnamable profession in the annals of mankind, has also changed during the information age. Joseph Traub, the Edwin Howard Armstrong Professor of Computer Science at Columbia, addressing the National Academy of Sciences last year, said, "The defense of our national information infrastructure is one of the most important issues facing our country." Information warfare, or attacks on the nation's information infrastructure, is not something defense and computer experts take lightly. As more public and private entities become networked, the United States is left more open to a coordinated hacker attack. No network seems to be immune: Everyone from Columbia to the CIA to Ross Perot has been hacked.

Most people, Traub contends, do not sense the danger. The question is not whether we will be attacked but where the threats will come from and how bad the damage will be. "There are many potential adversaries," he says, "who are well trained and motivated." They might include nations, international criminal organizations, terrorists, and individual criminals.

Not all experts concur; the differing opinions in this area involve definitions of entities at risk, assessments of vulnerability, and estimates of appropriate response. Martin Libicki of the National Defense University in Washington, D.C., who specializes in what is termed "the Revolution in Militia," asserts that the digital Pearl Harbor cannot be ruled out but is highly unlikely. Libicki has written several papers on infowar, arguing that the chances of a coordinated hacker attack are low. Besides the more practical reasons, like the difficulty in coordinating an attack, perhaps the most compelling reason is that the payoff would not be worth the reprisals by the United States. In other words, Libicki says, for a rational opponent, what would be the value of bringing down the lights in Kansas City? However, he is quick to point out, "I'm not arguing for less protection."

Crosswell is as skeptical as Libicki. "To take everything out at once -- no one is near that level of interoperability," he says. "Things are too klugey. It's probably more likely you wipe out systems yourself than have a hacker wipe them out."

However, warning signs show a large-scale info-attack could happen, says Crook. America Online and AT&T have had serious system crashes. Although these crashes were self-inflicted, they proved that networks can go down "big time" -- and that to diagnose a problem, reload the network, and bring it back online is extraordinarily difficult. A hacker or terrorist "could do a hell of a lot of damage."

Regardless of the terms...

Many experts don't favor the term "infowar" and prefer to think about computer security in different language. Libicki prefers almost any metaphor to that of warfare, but the one he favors most is safety: "In the military safety is something that everyone thinks about all the time. You can stand down the entire Navy with safety issues." Traub disagrees, maintaining that infowar will be an important component of future warfare, both defensive and offensive. Crook likes to think of it as risk management. No matter what apt metaphor the experts choose, the popular imagination tends to be shaped by Hollywood: teen-age hackers breaking into the CIA's computers and threatening the stability of the nation. Perhaps the problem is that the idea of computer security hasn't entered the nation's consciousness in a realistic or helpful way.

Clayton explains that people have a "public trust" in information networks. Hollywood's presentation of hackers in the realm of fantasy tends to diffuse any sense of real danger. He compares it to the Tylenol incident several years ago, when someone placed cyanide in bottles of an over-the-counter pain reliever and several people died. "The Tylenol scare was an accident waiting to happen," he says. "It revolutionized the [packaging] industry." The result was blister packaging, tamperproof caps, and other forms of protection to reassure consumers that the products hadn't been adulterated. Clayton asserts that in order for the majority of people and businesses to take basic security procedures seriously, an incident has to happen.

"When you go below that level of public trust," he says, "people spend millions of dollars to get back on top of it. We're not below that public trust level yet. We may need a Tylenol incident to mobilize us -- or, if we're lucky, maybe we can raise awareness without having a disaster."


The year 2000 bug: this time we did it to ourselves
Many people are waiting for the year 2000 with great anticipation, but computer programmers are not among them. With the next millennium at hand, what is known as the year 2000 problem looms larger on the horizon -- an inescapable headache, and maybe worse.

Most computers store dates in the format mm/dd/yy, and when 12/31/99 rolls over to 01/01/00, an uninitiated computer will think the date refers to the year 1900 instead of 2000. This doesn't seem like much, but when you receive your January 2000 phone bill and are charged for a 100-year-long toll call, you will want to reconsider. When one considers the number of databases, computer-driven machines (say, elevators), and processes reliant on dates, the problem looms larger. "It is like an onion," says Robert Juckiewicz, deputy vice president of administrative information systems (AIS) at Columbia. "It is nothing very difficult. The problem just keeps piling up."

The problem, while simple to understand and, in a limited way, deal with, has three caveats that separate it from any other computer problem encountered before, says Fred Trickey, information security officer at AIS. One, everyone has to do it; two, there is no possible slippage in the projection date; and three, there is no business incentive -- all businesses must do it, and it won't necessarily help anyone's competitive edge.

While some people are waiting for a silver-bullet solution (some form of Microsoft wizardry, for example, is nearly inevitable), most are going ahead and trying to solve the problem by themselves. Columbia, Trickey says, endorses two possible solutions. One is to take all programs and databases and convert all year variables to four digits instead of two. The other is called "windowing" and involves choosing a two-digit date (say, 40) and declaring that anything above it refers to the 1900s, while anything below it refers to the 2000s.

While fixing this problem does not seem to be difficult, the trouble magnifies if you have a large database and you're swapping information with other large databases. Has everyone updated their databases? And if so, how did they do it? Is it compatible with your solution? The problem, once simple, quickly gets out of hand. Gartner Group, an information technology consulting firm, has estimated that the year 2000 bug will cost between $300 billion and $600 billion to fix. The damage is truly self-inflicted, but, as Juckiewicz points out, "there were very good reasons for us to do this."

Until recently, memory was expensive. There was a time when data were stored on physical cards, Trickey recalls: "Two digits was very important." But there were other reasons, too. "We all knew the problem was coming in the '80s," Trickey says. "We thought we'd replace the systems, but large systems cost a lot of money. It's not trivial to throw them out."

According to Juckiewicz, Columbia, along with most companies and other academic institutions, is in relatively good shape when it comes to the year 2000. Already the university had its first run-in with the problem when the Class of '00 enrolled. This has been dealt with. "It's the government that's going to have problems," Juckiewicz says. "The IRS has started but has so little allocated to it we know it's doomed for failure."

The problem is, of course, global, and Americans can thank the digital gods that they have only the year 2000 problem to deal with. The Europeans also have to deal with converting their currencies to the Euro. -- Alex Kirtland

Related links...

  • Winn Schwartau's Infowar.com

  • Computer Security Institute

  • CNN reports on U.S. vulnerability to "cyber attack," Oct. 8, 1997

  • Institute for the Advanced Study of Information Warfare

  • George Smith, "How I Learned to Stop Worrying and Love the Virus," Netly News (on computer viruses and the military)

  • President's Commission on Critical Infrastructure Protection

  • HotWired Webmonkey on reasonable computer security

  • Journal of Infrastructural Warfare (registration and subscription required)

    Year 2000 Related Links

  • Year 2000 Ltd., New Zealand

  • Michael Gerner, "Why Has The Year 2000 Problem Happened?" (University of Florida Year 2000 Information Center)

  • Institution of Electrical Engineers (UK), "The Millennium Problem in Embedded Systems"

  • Year 2000, British Computer Society

  • Year 2000 Directory, General Services Administration

  • Year 2000 Information Center

  • Edward and Jennifer Yourdon, Time Bomb 2000 (draft of online book)

    ALEX KIRTLAND is a free-lance writer and former website designer at Columbia-Presbyterian Medical Center.
    Photo Credits:
    Violin Case: Jonathan Smith
    Ransom Note: Photo: Jonathan Smith Note: Jodi Miller