By Henry Kenyon The U.S. government is growing concerned about a family of computer programs that can infiltrate and compromise system integrity. These programs attach to a host computer during Internet browsing and send data to a third party about how that machine is operated. Although most of this code is used for legitimate business or marketing purposes, many types can circumvent firewall protections, leading to security breaches.
Some data on the Internet comes with invisible strings attached. Known collectively as "spyware," this is a broad family of software products that reside on a host computer and monitor its activities. Some are benign, and necessary-anti-virus software falls under this definition. But others can track a user's Web page preferences or monitor keystrokes and passwords then transmit that data to hackers.
Although government cybercrime groups have discussed the threat of spyware, a major difficulty in launching initiatives against it is that no official definition exists, explains Mark Eckenwiler, deputy chief of the U.S. Department of Justice's Computer Crime and Intellectual Property Section, Washington, D.C. "That's part of the problem. Like identity theft, it means different things to different people," he says.
Eckenwiler believes that the biggest issue with spyware is user consent. This extends to a number of functions that appear on desktop systems, from pop-up advertisements to price comparison features. If users agree to accept any of these functions that operate on their computers, few legal objections can be brought against the activities. "I think it raises some difficult questions about whether that's something the government ought to interfere in. Certainly, if the user has consented, as a criminal matter, the statutes that we work with like the Computer Fraud and Abuse Act just wouldn't have any application," he says.
The U.S. Army Corps of Engineers, Washington, D.C., is an example of an organization that is struggling to come to terms with the ambiguous nature of these programs. Thomas J. Aubin, the organization's information assurance program manager, has found no satisfactory solution to the issue. He adds that because spyware resides on many legitimate programs, it creates a number of challenges for an organization's information technology architecture because many tools associated with this kind of software are designed to work around firewalls.
The Corps of Engineers has implemented stringent security measures because it was the victim of a major cyberattack, Aubin explains. In the late 1990s, a group of Russian hackers broke into the Corps' and a number of other U.S. government computer systems. This was the "Moonlight Maze" incident. "The Russians hacked into our network and were using our computers to jump to industry and other government and military computers," he says.
The hackers gathered sensitive data, processed it in Corps of Engineers computers and held it there for 30 days before moving it to England or Canada. There it resided on other computers for another 30 days before being encrypted and sent on to Russia.
The Central Intelligence Agency and the Federal Bureau of Investigation became aware of the hackers' activities and asked the Corps to continue operating its systems as normal to track the intruders, Aubin relates. Once enough evidence had been accumulated, the Russian government was approached, and the hackers were arrested. "As a result of that whole operation, the Army funded us, and we got a lot of firewalls and intrusion detection equipment," he says.
The U.S. Defense Department has contracts to provide the Corps of Engineers with free anti-virus software. According to Aubin, there are three types in use: Trend, Norton and McAffe. Aubin notes that at Corps of Engineers headquarters in Washington, D.C., network administrators use Antigen software, which uses the updates from all three types of anti-virus software. Although incidents do occur, network security has greatly improved since Moonlight Maze.
The government and industry have been discussing spyware, but the definition is ambiguous so these types of programs are grouped together with worms and viruses because they can act without user consent. "When people talk about spyware, sometimes they're really not talking about a piece of software that acquires private communications about the user. They may just be talking about something that subverts the user's control of the computer," Eckenwiler explains.
Like other forms of malicious code, spyware that represents a threat to computer networks is a violation of federal and state laws. However, Eckenwiler cautions that the criminal investigation process usually works after an incident has occurred. "People come to us with a report that some event has occurred, and if there's enough evidence to go forward, then an investigation is launched. That's a lot of machinery to gear up," he says.
As with any crime, the police cannot be everywhere. Threats to an organization's computer networks must be countered by an active network defense. "Law enforcement is plainly part of the equation. We do have an important role to play in terms of deterrence. But it's just one leg of the stool. I think having one's eyes open with respect to the kinds of electronic threats that are out there and taking proactive measures is an equal part of avoiding this problem," observes Eckenwiler.
The full version of this article is in the August 2004 issue of
SIGNAL, in the mail to AFCEA members and subscribers Auguat 2, 2004. For information about purchasing this issue, joining AFCEA or subscribing to
SIGNAL, contact
AFCEA Member Services.
