Cyber security experts converge in Huntsville for a bewildering test of hacking skills and a conference called TakeDownCon.
Ivan Garcia (left), VP of cyber security for COLSA, meets with security consultant Jim Simon (right) of Guntersville, owner of consulting firm i.e. LLC.
Jim Simon was a U.S. Army intelligence officer, career CIA analyst and partner in Microsoft before starting his own cyber security consulting firm named i.e. LLC. Now a Guntersville resident, the 66-year-old Simon offers this as a catastrophic cyber scenario: “If I’m a cyber terrorist, and I really want to get your attention, I would wait until all the rivers are at flood stage,” he says. “Then I would open all the locks and dams. I would kill 300,000 people. The Columbia River Valley and some other areas out West would be particularly good for that. Is that possible? Sure, anything would be possible.”
“No one is immune from a cyber attack,” says Ron Burgess, who recently retired as a U.S. Army lieutenant general after serving as head of the U.S. Defense Intelligence Agency, which has more than 16,000 employees. “I’ve been doing analyses on cyber threats for a long time, and I’m encouraged, because more people are starting to wake up to it. It’s a growing trend, and more people are trying to understand it,” says Burgess, 61, who now is senior counsel for national security programs, cyber programs and military affairs at Auburn University, where he graduated in 1974.
Simon and Burgess were among the featured speakers recently at Rocket City TakeDownCon, a cyber security conference hosted by Huntsville-based Dynetics and the EC-Council.
More than 270 people attended the event, and it was no ordinary gathering.
TakeDownCon included four days of hacker training — how to hack computers as well as how to defend against hackers — along with two days of presentations. Speakers ranged from the highest echelons of U.S. government security to a younger set of “white hats” — computer hackers who earn their living protecting computer-based networks against intrusions from the bad guys, the “black hats.”
For an outside observer who dwells outside the day-to-day cyber community, TakeDownCon clearly showed that hacking is not always a dirty word. If you’re going to stop hackers, you must know how to hack. It brings to mind the words of the Godfather, Vito Corleone: “Keep your friends close but your enemies closer.”
The threat is not limited to cyber terrorism and warfare, where death or mass destruction is the objective. Almost all cyber attacks are against individuals and businesses, normally attempts to steal money or intellectual property. “Hacktivists” — hacker activists from within an organization who attack it or steal confidential information — have become part of the news. Although most hacktivists are more interested in espousing their views than in making money, threats from within an organization pose perhaps the most danger. Says Simon: “The insider is the ultimate threat for what I would call catastrophic cyber.”
The volume of activity and change in the cyber world is all but overwhelming, and predicting where it goes from here is anyone’s guess. According to Huntsville Mayor Tommy Battle, 57, who made opening remarks at TakeDownCon and has actively sought to make his city a cyber-security leader: “Where we are right now is where the Wild West was when you had just gotten your 40 acres of land, but you still had to turn around and develop it. (Cyber security) is such a huge area, and it has vast subjects and vast applications. We’re just starting out.”
According to a recent study by security firm McAfee and the Centre for Strategic and International Studies, cyber attacks account for global losses ranging widely from $300 billion to $1 trillion annually. Loss categories in the report include intellectual property, such as information about a product or idea in development; theft of funds; service disruptions; the cost to secure systems against hackers, and the monetary loss resulting when a company’s reputation is damaged. Determining a more specific amount of loss is virtually impossible because many cyber losses go unreported, undetected or because it is often difficult to place a value on stolen information.
Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, presented testimony to U.S. Rep. Spencer Bachus that cyber attacks are “worse than ever.” Much of that can be attributed to the dramatic increase in online traffic. Warner’s testimony notes that in 2000, the entire e-commerce environment was only $5 billion. In just the first quarter of 2011, online retail sales reached $46 billion, or 4.4 percent of all retail sales.
In 2000, the majority of the world’s 360 million Internet users were in the United States and subject to American laws. By the first quarter of 2011, there were 2 billion Internet users but only 13 percent of them were in North America. So, 87 percent of Internet users are in other countries, but the largest concentration of wealth accessible from the Internet remains in the United States, according to Warner.
Warner’s testimony to Bachus warned that criminals are more committed to cyber crime than most law enforcement. UAB has reached out to local banks, businesses, legal groups and state and local law enforcement agencies in its effort to teach cyber security, conduct research and assist law enforcement in cases involving cyber theft. Warner’s blog — “Cyber Crime and Doing Time” (garwarner.blogspot.com) — is loaded with current information about cyber crime and scams. But catching cyber criminals and putting them in jail is an uphill battle, especially if the criminals are based in foreign countries and if the amount of money involved is relatively small.
As an example, Warner testified about a Federal Trade Commission case in which criminals made 1.3 million fraudulent charges against consumer credit accounts ranging in value from 20 cents to $10. “Imagine that you were a law enforcement official in a local police department receiving the phone call that someone has stolen $6 from the victim’s bank account,” Warner testified. “Ninety percent of the victims in that case never filed any form of a complaint.”
Security firm Symantec reports that cyber attacks on American businesses increased 42 percent in 2012. All of this presents monumental challenges for cyber security systems, but part of the equation is job opportunities. According to cybercrimestatistics.com, jobs for cyber security experts are expected to grow by 53 percent through 2018.
One of Alabama’s leading players in this landscape is Dynetics, which provides engineering, scientific and information technology services. Owned by its 1,300 employees, Dynetics has made “tremendous investments” in cyber security services, says Paul Coggin, an Internet consulting solutions architect for the company and a speaker at TakeDownCon.
“Cyber security is very much a growing market, and it’s the reason we had TakeDownCon,” Coggin says. “We’ve made tremendous investments in cyber security, not only in our lab facility dedicated to cyber but we’ve also made strategic hires of key individuals, brought in very talented employees, highly trained, highly educated. The company makes a lot of investments in training and conferences for the technical staff to keep everyone up to speed. It’s one of the major thrusts of the company.”
Coggin, 44, says he learned how to hack after starting work at Dynetics in 1999. “I had initially wanted to be an SME (subject matter expert) in networking — building and developing global networks,” Coggin says. “Cyber security was a new threat when I came on board. I didn’t get into hacking until I came to Dynetics, and the opportunity was given to me to work on security projects and engage in hacking. I proceeded to learn how to secure networks and think about how to attack networks legally and ethically under a signed legal agreement, to test networks for vulnerabilities, which is part of what we do here at Dynetics.”
The demand is strong for Coggin and others in his field. Coggin has spoken across the country, in Europe and Asia on behalf of cyber security protection and this fall will add Iceland to his list of speaking venues. His mission is a never-ending fight with those trying to break into computers and servers. “If you have a motivated adversary, you cannot protect against them 100 percent of the time,” he says. “If they are determined, if they have the time, the money and the resources, they will get into your system. It’s a matter of time. For protection, a company has to manage its investment in security systems, and that investment depends on the organization and the value of the assets they need to protect.”
Despite the explosive increase in cyber attacks and online activity, there is no widely accepted government framework in place for cyber security. Simon’s presentation at TakeDownCon noted that President Barack Obama issued a directive and an executive order earlier this year that dealt with security of the nation’s infrastructure, and prior presidents have issued similar guidelines.
Yet Congress has passed no legislation in response, and difficult questions and political issues remain to be addressed. For example, the very authority of the Foreign Intelligence Surveillance Court is being questioned, and that was before Edward Snowden’s defection as a consultant to the National Security Agency. Just how far should the government go in providing security without cutting into privacy rights of individuals and businesses?
“The role of the government is the $64,000 question,” Burgess says. “Civil liberties need to be protected, and there are those out there who ask if we have too much Big Brother in our government, and that’s a fair question. But I would refer back to our critical infrastructure — electrical power systems, transportation, water systems, chemical systems, oilrigs, anything that would affect our energy supply.
“Those have to be protected. And our world has become so interconnected, so there are vulnerabilities out there. The issue is going to have to be privacy rights and the role the government has in providing security. Discussion is necessary. Where does it lead? I’m not sure that question is ever going to be answered.”
Another major question is liability. Who is at fault when cyber theft or cyber attacks occur? Birmingham-based Sirote & Permutt is among a growing number of law firms who have formed a separate privacy and cyber security group. According to Todd Carlisle, an attorney in that group, banks and other financial institutions, business clients and security vendors are looking harder now at language in their agreements and contracts related to cyber security.
“These contractual issues can result in significant litigation when a cyber security incident results in material financial loss,” Carlisle says. “The developing market for cyber and data security insurance products has not matured at this point to a level where clarity exists as to whether and to what extent insurance coverage will be available for contractual disputes of this nature. This is an important area where knowledgeable insurance brokers and lawyers versed in the process of designing and implementing insurance programs can play a valuable role in reducing the adverse impact of cyber security incidents.”
Says Simon, “Some of those who will profit (from cyber) ought to. We need more cyber safety, and it is fair that those who provide it are compensated fairly. Obviously our system requires a legal system that protects us all. For publicly traded companies or associative entities, like credit unions reliant on reputation, the added scrutiny of the IT department, its purchases, practices and awareness all imply legal costs and process. That some of it is ‘good’ is certain, but the litigious nature of our culture ensures excess,” including frivolous lawsuits.
In the wake of Congressional inertia following President Obama’s cyber security directive and order, Simon is concerned that technologies “continue to advance at cyber speed while this government advances at the speed of committees. The world of cyber is not one of committee meetings but is one of efficiency coupled with effectiveness,” he says.
“For businesses, the issue is certainty,” Simon says. “Companies, especially commercial ones, care most about predictability and certainty. (President Obama’s cyber security initiatives) outline the government’s vision but without adequate detail or any evidence that corporate concerns have been considered. These are the first steps in what is going to be a long, confusing and contentious process.”
Cyber Security as Economic Development
Huntsville Mayor Tommy Battle recalls a speech several years ago in which U.S. Marine General James Cartwright, then the vice chairman of the Joint Chiefs of Staff, repeatedly made references to cyber warfare. “After he said cyber warfare for the 12th or 13th time, it seemed natural that cyber security was something we should look into,” the 57-year-old Battle says.
That speech eventually led to the creation of Cyber Huntsville, an all-volunteer organization whose bottom-line purpose is economic development in the cyber security field in Huntsville — a goal it works to achieve through an alliance of education, government and business.
“Cyber Huntsville works well together, really well, as well as any community in the nation,” says Rodney Robertson, executive director of Auburn University’s Huntsville Research Center and chairman of Cyber Huntsville’s executive committee. “If you tried to do something like this in New York City, it would be impossible if you used this approach. It’s fairly unique to Huntsville, to get this kind of cooperation across different sectors.”
Well-documented is Huntsville’s history with Redstone Arsenal and its status as a high-tech center in Alabama and the Southeast. Robertson says the city leads the nation in the number of engineers per capita, and many of those involved with missile and defense work at Redstone Arsenal already have government clearance, which would help any transition to doing government-related cyber security work. In addition to cyber security, Huntsville has similar initiatives for economic development for geospatial information, clean energy and life sciences.
Battle and Robertson both acknowledge that Huntsville is competing for cyber security work with cities in Texas, Maryland and Ohio, among others. The community comes together, Battle says, to look down the road “15 to 20 years to see how we will position ourselves as a community, and this community tends to lean toward the technology side of things.”
Education is a key part of the cyber security initiative. The Huntsville school system has no textbooks; all learning is on the computer. “We’re the largest digital school system in the nation,” Robertson says. “There are scholarships for students and cyber camps for high school and middle school students. They’re already getting exposed to this.”
The recent TakeDownCon conference in Huntsville included a hacking contest for 50 high school teams from around the world, and Battle proudly notes that two of the top six teams (Grissom, 2nd, and New Century Technology, 6th) were from Huntsville. “We’re trying to develop a workforce for the future,” Battle says.
Although there are other partnerships and organizations in Alabama involved with cyber security issues, Huntsville appears to have taken the lead in terms of a community- or region-based initiative, says Ron Burgess, a former head of the Defense Intelligence Agency who recently assumed a senior cyber-related post at Auburn University. Burgess also heads the Alabama Cyber Research Consortium, which fosters understanding and collaboration on cyber issues among the seven Ph.D-granting universities in Alabama and additional industrial and research affiliates.
“I see Huntsville being in the forefront of where cyber is headed,” Burgess says. “I don’t see other (communities) having the single-mindedness, if you will, that Huntsville has.”
Janelle McLean of EC-Council Foundation, sponsors of a global high school cyber competition CyberLympics, with Dynetics Vice President Jonathan Whitcomb.
Photo courtesy of Dynetics
Widespread Exposure: No Castle, No Perimeter
When Paul Coggin joined Dynetics in 1999, protecting a computer system was like building a castle and fortifying it with walls and a moat. There was basically one way in and one way out. Since then, the profusion of smart phones and other mobile devices has made it a totally different ball game. Now the castle has no walls and no moat for protection and is open to attack from anywhere.
Since the Internet’s creation, cyber criminals have used office- or home-based computers to establish fake Web sites and use e-mail to lure visitors into viewing bogus solicitations for money or personal information, such as credit card or banking account numbers. Along with that, and more feared, are viruses that allow a hacker to break into a computer or network and roam undetected from a remote location until deciding what to steal. This is an ideal way for cyber criminals to transfer money out a business’ bank account or steal business plans or other intellectual property.
As if that weren’t enough, mobile technology brings with it a whole new set of rules and possible vulnerabilities for computer systems. A German firm, for example, has discovered a bug that allows hackers to remotely gain control of and clone certain mobile SIM (Subscriber Identity Module) cards from mobile phones. This, in turn, could allow the hacker to use the victim’s identity to commit financial crimes or engage in electronic espionage. It’s estimated at least 500 million of the world’s 6 billion mobile phones are vulnerable to these attacks.
“It is an extremely complex, challenging problem compared to when I first started,” Coggin says. “When I first started, the bar was not nearly as high as it is now to be a competent consultant. You didn’t have mobile devices, you didn’t have Android, or iPhones or iPads and Microsoft tablets. Wireless was not prevailing; global networks weren’t prevailing. The networks were more static. But now, there is no perimeter edge. The user community is coming in on any kind of device from anywhere, and all of that represents possible vulnerabilities” to security.
“Anybody who thinks their system can’t be breached is uninformed and probably has already been attacked,” says Rodney Robertson, executive director of Auburn University’s Huntsville Research Center and chairman of Cyber Huntsville’s Executive Committee.
“Protecting a system is a cat-and-mouse game, and the people defending the network almost always are behind in the game, until they figure out a way to defend the intrusion.”
Charlie Ingram is a freelance writer for Business Alabama. He lives in Birmingham.