'

Denial-of-Service: How big is this threat?

The distributed Denial-of-Service attacks that recently hit eight major Web sites are just "the tip of the iceberg," according to FBI Director Louis Freeh

Addressing a Senate sub-committee of cyber crime last week, Freeh said the attacks against Yahoo!, Buy.com, eBay, Amazon.com, Microsoft's MSN.com, ZDNet and, finally, E*Trade, which are still under investigation, demonstrated the ease with which e-crimes could be committed.

Freeh also said US laws had not kept pace with fast-changing technology, and that the FBI was working with the US Department of Justice to propose a legislative package to update the laws. The FBI director said he did not want "extraordinary powers," just enough to deal with the phenomenal changes that have accompanied the Internet.

"In short, even though we have markedly improved our capabilities to fight cyber-intrusions, the problem is growing even faster," he told the committee.

Freeh's "tip of the iceberg" comment appears to be Bureau boilerplate.

Michael Vatis, director of the National Infrastructure Protection Center, made similar "tip of the iceberg" comments about the DDoS attacks while speaking at the Global Internet Summit in Fairfax, Va, in March. (The NIPC was created by the FBI and US Department of Justice to fight cybercrime.)

"The range of threats to citizens to government to businesses are much, much broader than a denial of service attack that lasts just a few hours," Vadis said.

E-crime's unique problems

"Icebergs" aside, although many are quick to downplay the significance of cybercrime -- pointing out that most "crimes" are juvenile hackers looking for thrills on the Internet -- recent events have underscored the uniqueness of online crime.

In January, a Russian data thief using the alias Maxus raided online music seller CD Universe, taking as many as 300,000 credit card numbers. Initially, Maxus had attempted to extort $100,000 (£62,000) from the company in exchange for not releasing the card numbers to the Internet. The company refused and Maxus duly posted the credit card numbers.

While CD Universe has paid the price for its poor security with a public-relations nightmare, other companies that accepted the stolen numbers are the ones who had to foot the bill.

Worse for law enforcement, finding and arresting Maxus, who is believed to live in the former Soviet Union, is a nearly impossible task, underscoring the jurisdictional problems of chasing electronic criminals.

And attacks are getting more common. A recently released report created by the San Francisco-based Computer Security Institute and the FBI found that more than 70 percent of the companies responding to the annual CSI survey detected serious security breaches in the past 12 months.

The attacks included theft of proprietary information, financial fraud, system penetration by outsiders and denial-of-service attacks.

Yet, the report, created in conjunction with the FBI's San Francisco Computer Intrusion Squad, cannot be considered a scientific sampling of how common cyberattacks are in the United States, said creator Richard Power, editorial director of the CSI.

In fact, Power doesn't agree with the FBI policy asking for more laws. Instead, what it really needs is more cooperation from industry, he said. "The Computer Fraud and Abuse Act and the Espionage Act are plenty. The problem is that corporations don't want to go into court and report on being hacked. It's a public relations issue."

For e-commerce and the computer industry, a lack of security could scare off consumers, putting the brakes on almost a decade of unprecedented growth.

"The people who service the businesses are probably more worried that their lack of security is going to turn people away," said David Farber, professor of the University of Pennsylvania and a noted Internet visionary. "More than that, there's a whole set of businesses connected to the Net that don't see another person because they do business-to-business e-commerce. Those companies are afraid that someone could disrupt their supply chain."

That problem extends to the national infrastructure as well, said NIPC's Vatis: Systems are more interdependent than ever before. "What's different now with the information age is that these things are much more vulnerable than they were before," he said. "If you bring down one of them, you have cascading effects. Our vulnerabilities are multiplied."

At risk are telecommunications, information technology, banking and finance, energy, transportation, government operations and emergency services.

The transportation industry has a long way to go before it considers itself up to par, said Richard Holmes, director of information technology and security for railroad and logistics giant Union Pacific.

Holmes is one of seven member of the Partnership for Critical Infrastructure Security -- a working group set up to study the problems of securing the national infrastructure.

Union Pacific uses a large computer network to route traffic around its thousands of miles of tracks and provides control software and oversight to other transportation networks.

Just the thought of an attack on the system scares Holmes. "It's pretty hard to protect 36,000 miles of track," said Holmes. "Another problem is that one of the unique aspects of railroads is that there is an awful lot of fiber buried along the railways."

A simple physical attack could cut fibre and slow -- or even down -- segments of the Internet. Numerous backhoes have demonstrated the ease to which the Internet can be hurt by fibre cuts.

At the other end of the spectrum, the financial industry is probably the farthest along in terms of defense.

Already, the banking and financial industry has banded together and -- as of last October -- has created a network for reporting threats and attacks on financial companies anonymously. Called the Financial Services Information Sharing and Analysis Center, the service reportedly warned members of the possibility of a Denial-of-Service attack weeks before the February incidents with Yahoo! and other major e-commerce sites.

"The distributed Denial-of-Service attacks have really done a lot to get people to focus on a lot of things that people in the security community have been asking to get handled for a while," said Stephen Katz, chief information security officer for Citigroup and chairman of the FSISAC.

Additional reporting by Lisa M. Bowman, ZDNet News

What do you think? Tell the Mailroom. And read what others have said.

Take me back to the Cyber terrorism special