That's the premise of a new book, No Outward Sign, by longtime cybersecurity strategist and consultant Bill Neugent. Of course, in the world Neugent has created, the hero is a 'cyber vigilante' and he falls in love with a beautiful FBI agent. And of course, American companies aren't really under attack.
Or are they?
Neugent says people shouldn't be so sure. The author's day job is chief engineer for cyber security for The Mitre Corporation, a high-tech consulting firm for the federal government, and he says he wrote the book to offer up a warning -- a warning of possible things to come.
In an interview with eSecurityPlanet, Neugent says virus writers are actually a God-send, and adds that we're far more vulnerable than most people believe. He also says we're in a security 'arms race' and right now, the good guys aren't doing so well. But that could all change too.
Q: Bill, you're a real security guy -- an expert. Why write fiction instead of a
I have the bug -- the writing bug. I thought I would write the novel I've been wanting to write and also do a public service by showing how it feels from an insider's view to be under attack. I wanted to draw attention to the kind of vulnerabilities that we've been experiencing recently with worms and blackouts. I got a lot of calls during the blackout with people asking if my publicist arrange it.
Q: What is the message that you're trying to put out there?
My message is that we're naked in cyber space... I have a lot of guys who work with me and if they wanted to, they could write a destructive worm that would have catastrophic effects across the world. There's no defense against that. No defense. No defense. It would be easy. They could use a Zero Day flaw. Or as soon as the patch is announced, they could write a worm within a day or two. Without having done anything particularly hard or creative, they could cause a lot of destruction. None of the worms we've been dealing with have been particularly bad.
Q: Recent worms and viruses have caused a lot of damage. How could they not be
They could be a lot more damaging than they've been. The hackers who've written these worms and viruses have done us a wonderful service. Every time they do that, they raise the security bar on what vendors need to do to provide normal business-grade security. It's not us calling for it. It's hackers writing worms and viruses that have raised that bar for security. Thanks to hackers, we're better protected against organized crime and foreign nation states that want to harm us.
Q: How vulnerable are we today?
Highly. Nation states right now can build that malicious worm. They don't because why would they kill the cow they're milking so successfully. It's really easy for them to break in. Our own government red teamers succeed in breaking in every single time. If our guys, using Internet-grade tools, could do that, an adversary could do the same. But they don't because our networks are more valuable to them up than down.
Q: Why is that?
Hackers like to own systems so they can launch attacks against other sites. Organized crime is wonderfully successful stealing money over the Internet. Look at identity theft. The Federal Trade Commission says it's the number one complaint from consumers. Identity theft is a huge, huge problem. Criminals all over the world are stealing money so they want all these networks up.
Q: But there obviously are countries and terrorist groups that would love to damage our
infrastructure. How much of a threat is that really?
There's a lot of reported evidence of terrorists studying cyber terrorism. A couple of months ago, the FBI arrested a student at the University of Idaho. He had alleged Al Qaeda ties and he was getting his Ph.D. in cybersecurity. It means that cyber terrorism is not at the top of the terrorist job jar but it's in the job jar. It's not their priority but they're working it. They haven't gotten to the point where they're an active force but it's just a matter of time.
Q: What do you think IT managers should be focusing on?
Automatic patching or as close to that as possible. For critical patches, their installation must not be dependent on users. That's absolutely fundamental. It's a critical part of our infrastructure that we have not had.
Q: What kind of coming attacks are worrying you the most? Are you expecting bigger and
more destructive worms? Are you looking for a direct terrorist attack?
It's hard to predict the future. What I expect is terrorists to finally get some traction in this domain and launch attacks. They won't cause a digital Armageddon. It'll be serious but limited damage. It'll be done along with physical terrorism. They might blow up a bridge and then launch a cyber attack on the 911 system so people can't call for help.
Q: Are American businesses safer now than they were six months ago or even two years
That's a tough one. Losses are greater now. That's proof that maybe we're not so safe. I expect that in two to three years, especially as Microsoft's investments start to pay off, we'll see substantial improvements in cybersecurity. But the number of vulnerabilities have been doubling every year and the number of attacks has been increasing at at least that rate. Our security is better, but we're no safer. It's an arms race and the bad guys are advancing as well as the good guys.
Q: Who's winning the race?
I think we're losing a number of battles right now. For right now, I think the bad guys are winning. They're getting money. They're getting information. If they really wanted to launch the destructive malicious worm, it would be devastating. They haven't yet, but they're capable of doing that.