Successful attack on nation's infrastructure is 'when,' not 'if'

In a Nextgov interview, celebrity-hacker-turned-security-guru Marc Maiffret says systems that control major operations like transportation and utilities can be easily breached -- and already are under attack.

080610MaiffretNGins Former hacker Marc Maiffret says the federal government should use its buying power to improve security.Kevork Djansezian/AP File Photo

Marc Maiffret now is the co-founder and chief technology officer at eEye Digital Security, but about a decade ago he was better known as "Chameleon," "Rhino9" and "sn1per," pseudonyms he used while breaking into some of the nation's computer networks. He even appeared in MTV's series True Life: I'm a Hacker.

The celebrity-hacker-turned-software-company executive is credited for discovering the first Microsoft computer worm Code Red, and graced the covers of Details, Entrepreneur and Inc. magazines, as well as the front pages of The Los Angeles Times and USA Today. He also testified before Congress about how easily the nation's most sensitive networks could be penetrated.

What does he have to say today? Maiffret warns it's not if networks operating the nation's critical infrastructure will be attacked, but when. As evidence, he mentions how in only two hours he broke into a system that controlled the water supply for a large city in California and was able to manipulate major operations such as how much chlorine was added.

But Maiffret says other threats loom for government systems: cybercrime and espionage. "The [massive exposure of sensitive information] by WikiLeaks shows that it's so much easier to steal sensitive information now than [during] the Cold War, when you needed people physically planted on the ground," he said.

Maiffret spoke on Friday with Nextgov Senior Reporter Jill R. Aitoro about today's cyberthreats and what should most concern government. The following is an excerpt from the interview.

Nextgov: The Black Hat conference just wrapped up. Any insightful discussions worth sharing?

Maiffret: A standout was the ATM hacking, in which someone made an ATM machine remotely spit all of its money onto the floor.

One thing I found more interesting [than the sessions] was the side conversations at the coffee shop or lobby bar, where you'd hear researchers talk about the number of undisclosed zero-day vulnerabilities they've come across [that can be exploited before software developers even know they exist]. It sounds like there's a heyday going on.

Nextgov: Does government have access to that kind of information?

Maiffret: It used to be that Microsoft would [be told about a vulnerability] and post a patch online. Now, researchers are looking to get recouped for the work they're doing, so software vendors, contractors and government pay them to find the zero-day vulnerabilities and understand how they work from both the offensive and defensive perspectives.

Nextgov: Is that kind of penetration testing used to enhance the security of federal networks and systems?

Maiffret: There's a good level of testing, but the government has a very repetitive, formulaic process for hacking into themselves, which runs contrary to how an attacker will go after an organization by thinking more outside the box. The problem is the people from the security and research industries who are invited to brainstorm [with the government] have worked on and off in D.C. for 10-plus years and are just as [entrenched in the bureaucratic way of doing things].

Some of that is changing though. The famous hacker "Mudge" [Peiter C. Zatko] is now in charge of programs at [the Defense Advanced Research Projects Agency], working from the inside out to create a bridge between government and the everyday hacking community.

Nextgov: How does that transition from celebrity hacker to government employee happen?

Maiffret: Most of us who have crossed over from a hacking background to a presence and voice in government were not so much plucked out, but put in the legwork. Back in 2003 or so when I first testified before Congress about threats [targeting] the critical infrastructure, I wanted to raise a red flag.

Nextgov: Cyberattacks against the critical infrastructure remain a big concern.

Maiffret: Now it's not a matter of 'can' [an attack] on the critical infrastructure happen, but 'when.' It's a race to the finish. Only a few weeks ago we saw a Microsoft zero-day vulnerability targeting SCADA systems, [Supervisory Control and Data Acquisition systems, which usually control critical U.S. infrastructures such as the transportation and utility industries], to get information and access. Microsoft responded to the vulnerability, but to me, the probe was just testing the waters [in the same way that] Code Red did years ago. That worm was not the best written, but it was an exploratory event -- to see what a computer worm could do. In the next two years, we could see more serious things happen [involving our critical infrastructure].

Nextgov: We hear so often how SCADA systems were not designed to work in a networked environment. Is that the problem?

Maiffret: I did a penetration test as a consultant for a large city in California, and within two hours, I was able to get access to the systems that controlled filtration of the city's water supply to not only monitor, but to manipulate: leak in extra chlorine, for example.

What was so eye-opening was that most of the weaknesses that I [exploited] were already known to the engineers working for the city. They're coming from a place of frustration, because most of the vendors that make the control systems don't allow updates for fear they'll cause something to go wrong. To me, that's a ridiculous problem, knowing about weaknesses but being unable to do anything about them because of mandates from vendors on how these systems have to run.

Nextgov: There are a lot of motivations for cyberattacks. Which should concern government most?

Maiffret: The two top threats are cybercrime and espionage.

Cybercrime has become so prolific, but we have a difficult time tracking down and bringing to justice the people behind the attacks. It's not a lack of good folks at the FBI and elsewhere trying, but rather our relationships with other countries and their unwillingness to give us access and information to work leads.

As for espionage, the [exposure of sensitive information] by WikiLeaks shows that it's so much easier to steal sensitive information now than [during] the Cold War, when you needed people physically planted on the ground. Everything sits online for anyone to access from anywhere in the world. That dramatically lowers the bar of what's required to get into the game.

Nextgov: WikiLeaks shows that the threat from inside is just as great from the outside.

Maiffret: There are so many ways to get data out of an organization, even when that organization's networks are not connected to the Internet. That being said, I'd say there was definitely a lapse of security. [The Defense Department] wasn't necessarily missing a safeguard, as much as a certain safeguard was not followed, which created a window of opportunity. This was a process failure, not a James Bond [scenario]. That's the scary part.

Nextgov: You've tracked cyberattacks for a long time. How have they changed?

Maiffret: We're not dealing with teenage hackers attempting to steal small amounts of credit card information. These are full-scale businesses, backed by organized crime groups that can bridge the gap where hacker skills end to maximize the massive amounts of data being stolen. That marriage is why we've seen a dramatic spike in data theft. It's compounded by the fact attacks can now be embedded in every website, making it hard to explain to the average consumer how to navigate the Internet in a safe way. We're dealing with an open playground.

One of the greatest things the federal government can do to improve security is use its buying power. At the end of the day, security is an afterthought for vendors because it's not something that can make companies money. But when you have government saying that to win a contract, you need to meet certain levels of security, those same companies see the dollar signs they may miss out on.