Boeing among defense firms fighting cyberterrorism
Post-Dispatch Washington Bureau Chief
June 13, 2010
By Bill Lambrecht
WASHINGTON -- At Boeing Co.'s cyber operations center in St. Louis, a flashing, 54-inch computer screen warns of modern-day burglars and spies.
In an hour's time on a typical morning this spring, Boeing's elaborate detection system logged 3,722 suspicious efforts to gain access to the company's global computer network.
Boeing analysts worked swiftly with company cybersleuths at other locations to secure the network and identify would-be intruders.
But tracking the hackers can be tough, even with their nine-digit Internet Protocol addresses flickering in vertical rows on the huge color monitor.
"The bad guys are really good at hiding their tracks," observed Kevin Nikkel, a Boeing security analyst.
They're persistent, too -- to an extent that most people can't fathom. At Boeing, the automated attacks don't stop, keeping teams of security analysts busy round the clock.
And that's just at Boeing.
The new head of the U.S. Cyber Command, Gen. Keith Alexander, revealed this month that Pentagon systems are attacked 250,000 times an hour, 6 million times a day. The attackers range from foreign intelligence agents to for-profit criminal enterprises to hackers trying to make mischief, security specialists say.
"In short, we face a dangerous combination of known and unknown vulnerabilities," said Alexander, who also heads the National Security Agency.
As the federal government moves to address those vulnerabilities, defense contractors such as Boeing are pushing aggressively to win lucrative contracts. Companies accustomed to selling weapons to the government also are bidding for work in secret military programs to develop offensive cyberwarfare tools.
Missourians are playing other key roles: Sen. Christopher "Kit" Bond, R-Mo., hopes to engineer major legislation soon that he believes is essential to protect against computer attacks.
Meanwhile, the University of Missouri is setting up a new Cybersecurity Institute that will sponsor seminars, scholarships and research. The government's urgent efforts to protect against cyberattacks is raising questions in academic circles about threats to privacy and civil liberties.
'AN ENORMOUS PROBLEM'
At the heart of the debate is the reality that hackers are aiming at networks as well as home computers with increasingly sophisticated techniques. They are trying to steal everything from intellectual property to personal financial information -- or perhaps they merely hope to cripple systems in so-called denial of service attacks. The National White Collar Crime Center reported $560 million in losses from a variety of Internet crimes last year, more than double the reported losses a year before.
"It's an enormous problem that has been creeping up on us," said Ronald Ross, a government computer scientist who develops security guidelines for federal agencies and government contractors.
"There's a whole new wave of cyberattacks being launched right now at the U.S. government and businesses from very sophisticated threat sources," he said.
James Lewis has written authoritatively on cybersecurity at the Center for Strategic & International Studies in Washington. He has assembled a list of dozens of significant attacks around the world, among them Google's disclosure earlier this year that Chinese attackers had penetrated its network and systems of more than 30 American companies.
The root of today's vulnerability, Lewis contends, is the inattention to security over the years in building a global network. Now, he says, hacking operations have grown so sophisticated that some deploy thousands of computers to automatically send malicious probes, one per minute, 24 hours a day.
"You have consumers and companies and federal agencies for whom security is not their top priority, maybe not even a third-level priority. Against them, you have intelligence agencies and criminals for whom this is their top priority," he said.
For defense and aerospace companies, the government's recent push to protect itself is welcome given the move away from some of the big-ticket weapons systems. Cybersecurity is widely viewed as a certain growth industry, especially when combined with the government's confidential programs to develop offensive cyberwarfare capabilities.
"It is one of the very few growth opportunities that exist today in the defense sector. Other areas are likely to trend downward," said defense analyst Loren Thompson, of the Lexington Institute, a northern Virginia think tank supported heavily by defense contractors.
Thompson estimates the government market for cybersecurity at between $10 billion and $14 billion -- not counting the confidential awards for cyberwarfare, which could double the business available to contractors, according to some estimates.
Like robbing banks
But before they can offer protection for others, defense contractors must first secure their own networks from hacking. At Boeing, a major computer outage in the mid-1990s led to the formation of its "Tiger Team" and a shift in thinking about computer security. Last year, amid increasing worries about unauthorized access to its system, the company moved to a smart card system to gain access.
Linda Meeks, Boeing's chief information security officer, recalled the increasing number of attacks such as those with phishing e-mails to employees that appeared to be coming from friends and family.
Meeks said the company decided to turn off e-mail access to anyone without a card. At a conference discussing the decision, she recalled being "brutally honest about what happened in the company."
Boeing, which houses its primary IT operations in St. Louis, describes its entrance into the cybersecurity business four years ago as a natural progression in its defense business. Jeff Trauberman, vice president of business development in the company's Network and Space Systems division, said his company was providing products to government agencies for both cyberdefense and cyberoffense.
For instance, the Defense Department is among those who have bought a version of the Boeing Security Monitoring Infrastructure System, like the network deployed in St. Louis to monitor would-be hackers.
"We are actually a bigger player in the market than people might know. We expect not only to continue to be a big player, we expect to grow in this area with new facilities, new capabilities," said Trauberman.
Lockheed Martin, one of Boeing's competitors, operates similar security intelligence centers in Maryland and Colorado, breaking down attacks into phases it calls the "kill chain."
Charlie Croom, the retired Air Force Lt. General who directs Lockheed's cyberoperations, said that 80 percent of the attacks his company saw in its work with the government deployed methods the company had seen before. It's the 20 other percent, the advanced persistent threats, that companies such as his worry the most about -- including "threats from nation-states who want to come in and steal our secrets."
"Like somebody asked, why do bank robbers rob banks? For cybercriminals, computers are where the money is," he said.
THREATS CREATE MARKET
Meanwhile, other St. Louis-area companies are proving that you don't have to be a global company with thousands of employees to win government contracts.
TechGuard Security, which has offices in Chesterfield, at Scott Air Force Base and in Baltimore, is tailoring its "Poliwall Q" security system for commercial customers as well as government agencies. The system enables networks to block incoming traffic as well as outgoing data, the company claims.
Suzanne Magee, TechGuard's CEO, described the threat as hackers "stepping right into people's computer systems through the back door and having access to all of it. ... I don't know any organization that hasn't been touched by these problems. A lot of these very smart hackers can put this stuff on your computer and make it look like it's coming from a very legitimate source."
At Chesterfield-based Impact Technologies Inc., Tom Rohlfing, president of cybersecurity, recalled helping solve an area case recently in which an employee was able to break into records to obtain confidential payroll information. In another instance, Impact's software showed that some 4,000 students were on Facebook at one time at a university he declined to name, raising concerns about the network's bandwidth. And there are more serious concerns, he said.
"We used to think of hackers as kids and college students having fun by injecting nonmalicious viruses," Rohlfing said. "Now hackers are putting bots and malware and spyware in those networks and extracting small bits of data over time, and you don't even know it."
The threats may be increasing, but so is the competition to sell the remedies, observed the Lexington Institute's Thompson. For the companies, "It's a free-for-all, and they are going to drive down each other's profit margins," he said.
There are implications for taxpayers, too, with the government spending billions without clear standards to evaluate what companies are selling.
"There doesn't seem to be a rigorous framework for saying, 'That's enough,'" he said. "No matter how much the government buys, somebody always is going to have this plausible reason for why we're vulnerable."
