Sunday December 24, 2000
Security a low priority in Y2K
By Robert Lemos, ZDNet News

The United States adopted a national plan for protecting computer networks, and corporations survived a variety of attacks. That doesn't mean they're taking security seriously.

The apocalypse widely expected to bring the tech world to its knees at the new millennium didn't occur. But security experts agree that disaster still looms.

The Year 2000 bug was squashed by a massive international effort that monopolized most of 1999. The distributed denial-of-service attacks that slowed traffic to several high-profile sites in February amounted to a momentary stall in the fast ascent of e-commerce. The "LoveLetter" virus paused e-mail traffic for, at most, a few days in May. Microsoft acknowledged in October that an intruder explored its internal network a dozen times, but the company's claims that the hacker window-shopped but didn't steal were accepted, and the matter was dropped.

Security experts say the corporate and government sites that escaped permanent damage in 2000 got lucky. But they warn that it may take a major Internet disaster to persuade businesses and governments to work together to secure the online world for the future.

"It is going to take an economic incentive," said Eugene Spafford, professor of computer science at Purdue University and the author of several texts on security. "Right now, not enough people have suffered enough pain. It is either going to take a large disaster or we are going to have to get to the point where people realize how much they are spending online and see that it's worth doing something differently."

It's a grim thought that's somewhat surprising, considering all the things that went wrong in 2000.

While the Y2K bug failed to materialize, President Clinton made cybersecurity a national priority -- at least on paper -- with the release of the National Plan for Critical Infrastructure Protection. Cyberspace was calm for all of a month.

Chaos, but no disaster
On Feb. 7, starting with Yahoo!, major Internet sites found their servers choked by massive streams of data from an unknown source in a series of distributed denial-of-service (DDoS) attacks.

By the end of the week, eight major sites--including CNN, eBay and ZDNet--had watched their Web traffic slow to a crawl or halt.

In April, the Royal Canadian Mounted Police and the FBI arrested a 15-year-old Montreal-area boy, who used the name "Mafiaboy" online, and charged him with the attack on CNN.com. Authorities later charged him in the other DDoS attacks as well.

The Internet suffered another attack in May, this time in the form of a virus that panicked users and corporations alike. The LoveLetter virus, also known as the "ILOVEYOU worm" and the "Love Bug," swept through corporations in a surge of e-mail, obliterating files and leaving chaos in its wake.

Given what they had learned from the "Melissa" virus of 1999, most companies were able to quickly control the LoveLetter virus. The creator was tracked to a suburb of Manila. The Philippines had no law to deal with such a crime, but the government vowed to charge the suspect with credit card fraud.

In August, a public relations wire suffered the first major media hack. A false press release distributed over the Internet Wire announced that network equipment maker Emulex Corp. (Nasdaq:EMLX - news) would restate its earnings and fire its CEO. Within hours, the trumped-up news caused the company's stock to plummet almost $70 to near $40 a share. The share price recovered once the hoax was discovered. The hacker pleaded innocent to charges of securities fraud in October.

Even Microsoft couldn't fend off Internet attacks. Frequently taken to task for bugs in its software, at the end of October the software giant revealed that an attacker had gained access to its internal network. Microsoft steadfastly denied that the intruder gained access to its software source code, but many questions remained.

And those were only the highlights in 2000.
There were numerous smaller virus attacks, thefts of several credit-card databases and extortion to top it all off.

While each of the incidents caused a brief uproar, security protection policies received scant attention, said Purdue's Spafford.

For example, the DDoS attacks brought many industries together to share information among themselves, but few could suppress their competitive urges, Spafford said. "You have a lot of groups who didn't talk to each other and cooperate."

Meanwhile, the National Plan gained little ground in political circles. Some funds have been earmarked for the National Infrastructure Protection Center, the Federal Intrusion Detection Network, and the Scholarship for Service program dubbed "Cyber Corps," but most of the initiatives outlined in the document remain dead in the water.

"It certainly does not show that we learned a lot," Spafford said.

David Farber, professor at the University of Pennsylvania and a well-known Internet technologist, agreed, saying that most of the United States relies on software with no security model to fulfill key functions.

Instead of building secure systems with less functionality, companies have settled for patching the holes. And that has to stop, Farber said.

"It's kind of like patching a leaky roof," he said. "At some point, you're going to have to replace the roof."

Back To The Study