The United States is under attack by cyber terrorists. Major corporations have been brought
to their knees. Government agencies are too entangled in their own web to protect business
or the infrastructure.
That’s the premise of a new book, No Outward Sign, by longtime cybersecurity
strategist and consultant Bill Neugent. Of course, in the world Neugent has created, the
hero is a ‘cyber vigilante’ and he falls in love with a beautiful FBI agent. And of course,
American companies aren’t really under attack.
Or are they?
Neugent says people shouldn’t be so sure. The author’s day job is chief engineer for cyber
security for The Mitre Corporation, a high-tech consulting firm for the federal government,
and he says he wrote the book to offer up a warning — a warning of possible things to come.
In an interview with eSecurityPlanet, Neugent says virus writers are actually a
God-send, and adds that we’re far more vulnerable than most people believe. He also says
we’re in a security ‘arms race’ and right now, the good guys aren’t doing so well. But that
could all change too.
Q: Bill, you’re a real security guy — an expert. Why write fiction instead of a
how-to?
I have the bug — the writing bug. I thought I would write the novel I’ve been wanting to
write and also do a public service by showing how it feels from an insider’s view to be
under attack. I wanted to draw attention to the kind of vulnerabilities that we’ve been
experiencing recently with worms and blackouts. I got a lot of calls during the blackout
with people asking if my publicist arrange it.
Q: What is the message that you’re trying to put out there?
My message is that we’re naked in cyber space… I have a lot of guys who work with me and
if they wanted to, they could write a destructive worm that would have catastrophic effects
across the world. There’s no defense against that. No defense. No defense. It would be easy.
They could use a Zero Day flaw. Or as soon as the patch is announced, they could write a
worm within a day or two. Without having done anything particularly hard or creative, they
could cause a lot of destruction. None of the worms we’ve been dealing with have been
particularly bad.
Q: Recent worms and viruses have caused a lot of damage. How could they not be
bad?
They could be a lot more damaging than they’ve been. The hackers who’ve written these worms
and viruses have done us a wonderful service. Every time they do that, they raise the
security bar on what vendors need to do to provide normal business-grade security. It’s not
us calling for it. It’s hackers writing worms and viruses that have raised that bar for
security. Thanks to hackers, we’re better protected against organized crime and foreign
nation states that want to harm us.
Q: How vulnerable are we today?
Highly. Nation states right now can build that malicious worm. They don’t because why would
they kill the cow they’re milking so successfully. It’s really easy for them to break in.
Our own government red teamers succeed in breaking in every single time. If our guys, using
Internet-grade tools, could do that, an adversary could do the same. But they don’t because
our networks are more valuable to them up than down.
Q: Why is that?
Hackers like to own systems so they can launch attacks against other sites. Organized crime
is wonderfully successful stealing money over the Internet. Look at identity theft. The
Federal Trade Commission says it’s the number one complaint from consumers. Identity theft
is a huge, huge problem. Criminals all over the world are stealing money so they want all
these networks up.
Q: But there obviously are countries and terrorist groups that would love to damage our
infrastructure. How much of a threat is that really?
There’s a lot of reported evidence of terrorists studying cyber terrorism. A couple of
months ago, the FBI arrested a student at the University of Idaho. He had alleged Al Qaeda
ties and he was getting his Ph.D. in cybersecurity. It means that cyber terrorism is not at
the top of the terrorist job jar but it’s in the job jar. It’s not their priority but
they’re working it. They haven’t gotten to the point where they’re an active force but it’s
just a matter of time.
Q: What do you think IT managers should be focusing on?
Automatic patching or as close to that as possible. For critical patches, their installation
must not be dependent on users. That’s absolutely fundamental. It’s a critical part of our
infrastructure that we have not had.
Q: What kind of coming attacks are worrying you the most? Are you expecting bigger and
more destructive worms? Are you looking for a direct terrorist attack?
It’s hard to predict the future. What I expect is terrorists to finally get some traction in
this domain and launch attacks. They won’t cause a digital Armageddon. It’ll be serious but
limited damage. It’ll be done along with physical terrorism. They might blow up a bridge and
then launch a cyber attack on the 911 system so people can’t call for help.
Q: Are American businesses safer now than they were six months ago or even two years
ago?
That’s a tough one. Losses are greater now. That’s proof that maybe we’re not so safe. I
expect that in two to three years, especially as Microsoft’s investments start to pay off,
we’ll see substantial improvements in cybersecurity. But the number of vulnerabilities have
been doubling every year and the number of attacks has been increasing at at least that
rate. Our security is better, but we’re no safer. It’s an arms race and the bad guys are
advancing as well as the good guys.
Q: Who’s winning the race?
I think we’re losing a number of battles right now. For right now, I think the bad guys are
winning. They’re getting money. They’re getting information. If they really wanted to launch
the destructive malicious worm, it would be devastating. They haven’t yet, but they’re
capable of doing that.