The Globe and Mail (Canada), June 26, 2003
By CHRISTOPHER GULY, Special to The Globe and Mail
OTTAWA — Stepping up its war against on-line terrorism, the federal government is launching an effort to anticipate and stop cyber-attacks before they happen.
In addition to having agents scour the Internet to get the latest buzz from hacker chat groups, a key tool available to Ottawa could be so-called honey pots — special decoy computer systems placed on the Net that are designed to be easily penetrated and gather detailed information about attacks, including the techniques perpetrators use.
“We’ve been really good at fixing problems, but we now want to build on that experience to work with Canada’s allies, federal government departments and private sector organizations in being able to analyze the types of threats and attacks we need to prepare for,” Tim Larson, spokesman for the Communications Security Establishment (CSE), an arm of the Department of National Defence, explained at a recent symposium in Ottawa.
Simon Gauthier, who last month became the federal government’s deputy chief information officer, says the “potential for a significant and serious incident happening on the Internet is absolutely real” and could extend well beyond a basement hacker launching a widespread denial-of-service assault to a major terrorist strike targeting air navigation systems or North America’s electrical power grid.
Trouble is, no one yet knows how this cataclysmic event might occur, and there’s little Canada and other countries can do at the moment to prevent it, Mr. Gauthier says. “We’re still at the bow-and-arrows stage with the technology we employ — intrusion-detection systems, virus checkers and so on — which are still in their infancy. We haven’t reached a warfare level of protection, which is where we need to go.”
So far, Ottawa has created a Cyber Incident Co-ordination System (CICS), a national “protection, detection, response and recovery” initiative involving officials from the RCMP, the Canadian Security Intelligence Service and other government departments, according to Jim Harlick, assistant deputy minister of the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP), which also is affiliated with the Defence Department.
Currently, OCIPEP issues “alerts” when a threat, vulnerability or incident affecting the federal government or other sectors of Canada’s critical infrastructure have the potential to be seriously affected, as well as “advisories” when the risk is considered to be limited in scope but having possible impact. The government office also releases “information notes” about cyber-security issues that are not as time sensitive.
OCIPEP recently released an advisory over the so-called Fizzer worm, which last month infected computers around the world through malicious e-mails sent to Microsoft Outlook addresses.
A survey published in 2002 by the U.S.-based Computer Security Institute concluded that 90 per cent of 500 corporations, government agencies and medical, financial and educational institutions had detected security breaches in their systems the previous year.
David McMahon, a senior security engineer with Ottawa-based Electronic Warfare Associates-Canada Ltd., an information technology security company that collects and disseminates information about computer threats, offers a more sobering statistic. He estimates that every connection to the Net in Canada is attacked at least 400 times a week. And “large, visible organizations could expect to get 10 times that amount per week.” Though firewalls and intrusion-detection systems will log all activity, malicious or not, and trigger security alarms, most companies and organizations ignore those reports and thus remain unaware that they’re being assaulted, he says.
“Attacks are at such a high level, because they can be automated — and do occur at the speed of light,” Mr. McMahon says.
Much of that activity is the result of people using automated software to search for security holes, explains Mr. McMahon, who also serves as a security consultant for the CSE. Such software has become easily accessible over the Internet. However, he adds that less than 1 per cent of cyber-assaults are the result of sophisticated hackers targeting specific sites.
“The bad guys often lose their way when trying to get their hands on key critical systems, so they go for the low-hanging fruit they can access from systems that are easier to penetrate.”
Mr. McMahon says it’s also important to scan the Net for intelligence about hacker activity.
“There’s a certain amount of chatter and noise on the Internet about scams, groups sizing up sites or systems, or targeting countries or companies,” he says. “So, it’s important to pay attention to what’s going on and get a hold of a target list to warn those on it they might be attacked by someone who is planning to exploit a system’s vulnerability. It’s about finding out who’s planning to do what and why and, at the very least, getting them kicked off their Internet service provider. But we’re not there yet.”
Perpetrators tend to be young people with advanced computer skills who are out to cause mischief and who might, on occasion, gain access to credit-card numbers from e-commerce sites to make some money on the side, Mr. McMahon says. “In Canada, there are less than a dozen of what I would call elite hackers.”
Not as common but potentially more dangerous is the pairing of sophisticated hackers with organized crime groups, state-sponsored espionage programs and terrorists.
However, Mr. McMahon doesn’t believe the most serious cyber-threats will come from the usual terrorist suspects, such as al-Qaeda, Hamas, Hezbollah or the Tamil Tigers, or from such rogue states as North Korea, which either have “pedestrian” technological abilities or rudimentary telecommunications infrastructures.
He says the one group to keep an eye on is Aum Shinri Kyo, the Japanese cult not linked to any terrorist attacks since its 1995 sarin gas assault on Tokyo’s subway system but which potentially poses the greatest threat, since many of its followers possess advanced computer skills.