Hackers who attack U.S. in line for lucrative payoffs
By Adam Smeltz
Published: Saturday, Oct. 27, 2012, 11:30 p.m.
Google wants a few Good Samaritans.
The Internet behemoth offers $100 to $20,000 in rewards for observers who find serious bugs compromising its users' data.
But corporate thank-yous may not pay the bills for independent Web gurus with the smarts to dig into sensitive electronic networks, digital security analysts said. Paid hacking for rogue groups and overseas governments can promise a much more lucrative alternative, complicating the rising global threats against the United States' cybersecurity.
“Hackers today have a choice: They can report bugs and problems to manufacturers of software” or sell their findings to foreign interests, said Albert Whale, senior security director at ABS Computer Technology Inc. in Ross.
He said prices per job can begin in the tens of thousands of dollars and reach hundreds of thousands.
“They're in it for the money,” said Whale, a consultant for the international software-security firm Cigital in Dulles, Va. “Name recognition isn't going to put food on the table.”
The cryptic nature of hacking makes it tough to gauge how often independent contractors, paid on the black market, snoop on behalf of overseas government interests and unofficial organizations. It's unclear how much of the hacking community they represent.
Some estimates suggest 4,000 people might belong to the Russian Business Network, among the largest networks of cybercriminals, said Norwich University faculty member M.E. Kabay.
In many dictatorships, “it's difficult to understand how criminal hackers could be working at all without tacit or explicit government support,” said Kabay, a professor in computer information systems at the Vermont school.
Preparing for attack
Defense Secretary Leon Panetta focused attention on domestic cybersecurity this month in New York, where he raised the prospect of a “cyber Pearl Harbor.” He said thousands of “cyber actors ... probe the Defense Department's networks millions of times per day.”
Panetta said Defense officials unearthed breaches of infrastructure networks that control chemical, electricity and water plants, along with transportation systems.
“We also know (these hackers) are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life,” Panetta said.
Worst-case scenarios would include near-simultaneous cyberattacks and conventional ground assaults, together crippling electrical, financial and communications systems in coordinated takedowns, technology scholars said.
The impact could knock out power generators, muddle medical systems and block access to banking.
“All they have to do is pick the right grid system somewhere and start knocking it out and we'd have a domino effect,” said E. Douglas Harris, associate dean at the Erik Jonsson School of Engineering and Computer Science at the University of Texas at Dallas.
To safeguard the country in cyberspace, Panetta said, the Defense Department is investing more than $3 billion a year in “cutting-edge capabilities ... even in an era of fiscal restraint.” Additionally, the department is crafting policies and structuring better cooperation with industry and international partners, he said.
Panetta mentioned China as a source of “growing cyber capabilities.” In interviews with the Tribune-Review, academic and industry leaders identified China and Russia as key sources of cyberthreats to the United States.
Both countries have integrated cyber-warfare capabilities into their military strategies, said Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. China especially has engaged in cyberspying for at least a decade, probably mapping the United States' electronic infrastructure and digging into private-sector intellectual property, analysts said.
They believe the large countries most committed to cybersnooping likely are developing in-house digital espionage teams instead of relying only on contractors.
“I think it's a very disturbing trend but it's probably also unstoppable,” said Gary McGraw, chief technology officer at Cigital and author of 12 books on software security.
McGraw said the United States has started to turn the tables on hackers, cyber-attacking the Iranian nuclear program in conjunction with Israel.
Small, but bold
Smaller adversaries such as Iran and North Korea present hacking threats on a less-sophisticated scale than China or Russia, but they can make up the difference with bold willingness to act, Cilluffo said. Investigators traced to Iran the denial-of-service attack at PNC Bank this month, the bank reported.
Iran, saddled with U.S. sanctions, might pursue cyberattacks as a way to push back and rattle the economy, analysts said. China probably uses its cyber prowess to sniff out trade secrets and prepare for possible confrontations. Rogue terrorists might attempt more crude attacks to drum up publicity and wreak havoc.
“Much of the infrastructure has never been designed to face an attack” through cyberspace, Kabay noted. Systems such as power grids were retrofitted to tie into the Internet but engineers added “trivial or no security” in the process, he said.
“Computers were never designed for cyberthreats,” Harris said. “They were designed as open networks.”
For technology professionals, that means a booming job market as businesses and other groups double down on safety.
The Bureau of Labor Statistics predicts the information technology job category that includes security workers will grow 22 percent in the next several years.
At the Cato Institute in Washington, Jim Harper said the private sector controls most digital data and is “best positioned to find problems related to cybersecurity.”
“The parties responsible for securing trade secrets are the owners of those trade secrets and intellectual property in the private sector,” said Harper, the director of information-policy studies. “It's not the government.”
Adam Smeltz is a staff writer for Trib Total Media. He can be reached at 412-380-5676 or email@example.com.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- Kovacevic: Bylsma’s moves — yes, moves — pay off
- 4 dead in Armstrong County crash
- Penguins rally to escape with a victory in Game 1 against Columbus
- Former Pitt captain Cavanaugh blazes trail as entrepreneur
- Physical Columbus team is a hit in playoff opener against Penguins
- Veteran North Huntingdon police officer fired
- Play of the game: Sutter’s goal completes rally
- Highmark vs. UPMC: Stop frightening seniors
- Retired postal worker picks $1M winner
- Pirates notebook: Walker’s razor a right-handed swing solution
- Police see no sign Franklin Regional stabbing suspect was bullied