Join the online discussion about this column.
I was working from my home office a few years ago when my access to a Web site called NC World was suddenly cut off. My service provider told me that a router in Southern California had gone down. This struck me as odd for two reasons. First, I live in Northern California, about a half-hour from San Francisco, where NC World was hosted at the time. Second, I was under the impression that one of the primary design goals for the Internet was to make sure that communications would proceed uninterrupted even if some of the primary hubs are taken out by a nuclear blast.
I have no idea what really caused this temporary outage, but I assume it occurred because of a minor hardware failure or administrator error. But if Internet communications are this easily interrupted by accident, I can't help but conclude that we are totally unprepared for the consequences of an intelligent, direct attack by cyberterrorists.
Here's how you can prevent such an attack: Think like a terrorist. Look at trends, and explore every possible opportunity and method possible to launch an attack on the U.S. infrastructure and economy. Then put your IT hat back on and plan ahead to prevent these methods from working.
Here's an example. One inevitable trend is the increase in business-to-business transactions over the Internet, a trend that will only be fortified by the advancement of Web services. Lets assume, for the sake of argument, that within two to 10 years, most business-to-business transactions will take place over the Internet. If I were a cyberterrorist, I would plan now for the day when I could disrupt as many of these business-to-business transactions as possible. Depending on how many servers I could bring down and for how long, I could create big headlines, delay or halt shipments, or perhaps even do lasting damage to the economy.
The obvious method is to launch a distributed denial-of-service attack. That would get me the most bang for the buck. I don't have to defeat firewalls, gain administrator access to business computers or crack any Web services to launch this kind of attack. All I have to do is overwhelm carefully selected servers or just as many servers as possible.
So, how do I distribute the attack software? Microsoft's business model is the most promising. Microsoft makes its money by putting its products in the hands of as many people as possible, after which it charges everyone in the service chain a nickel. Its latest plan revolves around turning the Xbox game console into a home entertainment center, after which it can charge content providers for the digital rights management they so desperately need in order to protect their revenue streams.
Microsoft needs only two things to happen to make this work: It must get the Xbox into 100 million homes or more, and the cost of broadband access to the Internet has to drop to within reach of the average household.
You should be able to see where I'm going with this by now. If you wanted to launch the ultimate denial-of-service attack, what more could you ask for than 100 million Xbox units with broadband access to the Internet, all running software developed by the "crack me" specialists of the world?
Now, what's the cure?
I'm afraid to disappoint those of you who are expecting a knee-jerk anti-Microsoft response, but nuking the Xbox wouldn't solve anything. Microsoft is depending on getting its software into every home one way or another, so the best answer is to prepare for that day.
For one thing, I would pressure everyone necessary to standardize and implement quality-of-service (QOS) protocols. Demand that your ISP support QOS. Implement QOS as part of your plans for Web services. Most important, pressure vendors to implement QOS in hardware whenever possible, especially for high-volume consumer devices like game machines, cell phones or anything else that can connect to the Internet. If the hardware wraps every packet in a low-priority envelope, nobody can trick an Xbox or any other consumer device into generating data that takes precedence over the information that runs our country.
This is only one example and one possible solution. How many can you think of?
Nicholas Petreley is a computer consultant and author in Hayward, Calif. He can be reached at nicholas@petreley.com.
The Security Action Plan
Stories in this report:
- The Security Action Plan
- The Story So Far: IT Security and Disaster Recovery
- Maximum Security Returns
- Manage Those Patches!
- Build a Computer Incident Response Team
- Let the Pros Investigate Computer Crimes
- Watch Out for Wireless Rogues
- For Disaster Recovery, Put Your IT Eggs in Different Baskets
- Denying Network Service
- Think Like a Terrorist
- Field Report: Out from the Shadows
- How to Thrive in the IT Security Market
- The Next Chapter: Predictions about IT security
- IBM's view of the hot trends in IT security
- Case studies in IT security and disaster recovery
- Intrusion-detection systems are evolving
- Reporter's Notebook: IT Security
- Top 10 Vulnerabilities in Today's Wi-Fi Networks