Security Needed on the Web

The denial-of-service attacks last week against a number of popular websites, including web portal Yahoo as well as retailers Ebay and Buy.com, were a reminder of the need for security tools to keep pace with the development of new technologies. The attacks were the more frightening because they were not particularly ingenious; indeed, they could have been executed by almost anyone.

Weak links elsewhere on the Internet can affect even the most well-protected systems--a fact that should reveal to government and the technology industry, as the Year 2000 problem did, the vulnerability of society to disruptions in its digital infrastructure and the need for a comprehensive reassessment of security.

Luckily, the attacks did not involve any control of the e-commerce giants' computer networks. In these "distributed denial-of-service" attacks, the attackers found unprotected computers anywhere on the Internet and installed software on them to make them agents, doing the dirty work of the attack. When the time for the attack came, each of the captured agent computers flooded the intended targets, (such as Yahoo) with network requests, making their computers too busy to do anything but respond. The type of attack does not so much resemble breaking into a bank as running in circles inside the revolving door and preventing anyone else from getting in.

Given that such an attack is normally executed from a variety of compromised agent computers, it is exceedingly difficult to defend against. With the malicious traffic coming from many different sources, possibly sent with forged return addresses, the systems under attack are unable simply to screen out the attackers and continue business as usual. Indeed, even the best protections can sometimes be overcome by the brute force of thousands of network requests. The implications of such defenselessness are twofold.

First, it demonstrates shows how, in an interconnected world, the biggest systems are only as safe as the most unprotected. Although the attackers would not have been able to take actual control of their targets' computers, instances of lax security elsewhere on the Internet allowed the attackers to make their targets inaccessible, which under certain circumstances could be almost as bad. Last October the General Accounting Office released a report castigating government agencies as well as businesses for poor security practices, and it argued that even vital services such as national defense, law enforcement and air traffic control could be the victims of electronic attacks. Security has to be taken seriously as a national and perhaps even global concern.

Second, this defenselessness shows how vulnerable the newly networked world is to electronic attack. Although the attacks last week were against mostly consumer-oriented websites and did not rise to the level of threats to national security, one can only imagine the types of services--commerce, communications, the operations of government--that would be susceptible to attack in a year or five-years' time, when the Internet will be even more ubiquitous. If these attacks were accomplished by a few disaffected "script kiddies" or the proverbial 15-year-old in his parents' basement, one can only imagine what could be accomplished by concerted effort to undermine security--say, by a foreign government during wartime, or a company seeking to damage the reputation of its competitors.

Technical solutions will be slow in coming, and little can be done for now except to urge the technology industry to place a higher priority on issues of security usually buried in bug reports and fixed in infrequent updates. For the longer term, however, security should be integrated into the way we think about technology. Last month President Clinton proposed as part of his technology initiatives a college tuition subsidy for students who agree to study computer science and work after graduation for the federal government to improve computer security. This sort of "G.I. Bill" for computer security could do much to improve America's electronic infrastructure, which must be safe if it is to be lasting and productive.