NSA Sought Data Before 9/11
Friday, November 02, 2007
Beginning in February 2001, almost seven months before the 9/11 terrorist attacks, the government's top electronic eavesdropping organization, the National Security Agency, asked a major U.S. telecommunications carrier for information about its customers and the flow of electronic traffic across its network, according to sources familiar with the request. The carrier, Qwest Communications, refused, believing that the request was illegal unless accompanied by a court order.
After terrorists attacked the United States on September 11, the NSA again asked Qwest, as well as other telecom companies, for similar information to help the agency track suspects with the aim of preventing future attacks, current and former officials have said. The companies responded in various ways, with Qwest being the most reluctant to cooperate. However, in February 2001, the NSA's primary purpose in seeking access to Qwest's network apparently was not to search for terrorists but to watch for computer hackers and foreign-government forces trying to penetrate and compromise U.S. government information systems, particularly within the Defense Department, sources said. Government officials have long feared a "digital Pearl Harbor" if intruders were to seize control of these systems or other key U.S. infrastructures through the Internet.
A former White House official, who at the time was involved in network defense and other intelligence programs, said that the early 2001 NSA proposal to Qwest was, "Can you build a private version of Echelon and tell us what you see?" Echelon refers to a signals intelligence network operated by the NSA and its official counterparts in Australia, Canada, New Zealand, and the United Kingdom.
The NSA realized that it was blind to many of the new online threats and to who was using the privately owned telecom networks, and it thought that Qwest was in a position to help. The agency needed better intelligence in the face of a burgeoning Internet, and Qwest was then building a high-speed network for phone and Internet traffic that had caught the attention of senior intelligence officials. The NSA, in effect, wanted Qwest to be the agency's online eyes and ears.
Another source said that the NSA wanted to analyze the calls, e-mails, and other transmissions crossing Qwest's lines, to detect patterns of suspicious activity. Telecom carriers routinely monitor their networks for fraudulent activity, the former White House official noted, and so the companies "have an enormous amount of intelligence-gathering" capability. They don't have to target individual customers to "look for wacky behavior," or "groups communicating with each other in strange patterns." That information could augment intelligence that the NSA and other agencies were gathering from other sources, the former official said.
Qwest's then-chief executive officer, Joseph Nacchio, rejected the NSA's request. "He didn't want to go along with that," and his refusal was not greeted warmly in the intelligence community, the former White House official said. Another source, a former high-ranking intelligence official, said that other companies, both before and after 9/11, had less of a problem complying with government requests if they were accompanied by a legal order. The ex-official added that some companies were willing to offer data and to assist the government "as necessary" on a voluntary basis, without a court order.
Nacchio has said publicly that the NSA asked Qwest for customer records after the 2001 terrorist attacks. But the nature of the agency's request before 9/11 has not been disclosed previously. Sources familiar with the activities spoke to National Journal on the condition of anonymity, because the work is still classified.
By early 2001, the NSA was aware of the growing threat of terrorism and was monitoring communications among Al Qaeda members overseas. But the agency, the Defense Department, and the White House also feared Internet-based attacks on U.S. government installations, and they believed that other countries were increasingly interested in cyberspace as a battlefield.
At the same time, the NSA was hesitant to conduct any surveillance activities that might violate long-standing prohibitions on domestic intelligence-gathering without court orders. One way to get the information that the agency and others deemed necessary for network defense was from the telecom carriers.
Nacchio, it appears, believed that the NSA's pre-9/11 request for access to Qwest's network was illegal. The former White House official said that the intelligence-gathering was not targeted at Qwest's U.S. customers, but he acknowledged that handing over customer information without a lawful order could violate the Electronic Communications Privacy Act, a 1986 law that extended wiretapping restrictions on phone calls to include electronic information transmitted by and stored in a computer.
After 9/11, that law was amended by the USA PATRIOT Act, and it became easier for the government to obtain certain private communications. When reports surfaced last year that telecom carriers were participating in a post-9/11 NSA program to analyze customer calling patterns for terrorism indicators, Nacchio's attorney stated publicly that Qwest had refused "to make private telephone records of Qwest customers available to the NSA immediately following [enactment of] the Patriot Act." Nacchio had concluded that the NSA's requests violated the privacy requirements of another law, the Telecommunications Act, his attorney said.
The question of Qwest's involvement with the NSA before 9/11 has surfaced in recent weeks because of Nacchio's appeal of his criminal conviction on 19 counts of insider trading. Nacchio was sentenced to six years in prison in July, but he remains free pending his appeal. He contends that the NSA retaliated against Qwest for not complying with its request by denying the company work under a multibillion-dollar program called Groundbreaker, which outsourced the NSA's unclassified information-technology systems. Federal prosecutors deny that allegation, noting that Qwest was a member of the team that ultimately won the Groundbreaker deal in August 2001.
Nacchio wasn't allowed to use his retaliation argument at his trial. But details of Qwest's interactions with the NSA, as well as years of work that the company performed for the Defense Department and the intelligence community, are contained in legal documents filed by his defense team and made public three weeks ago. Although the documents are partially redacted, they reveal that Qwest aggressively pursued business with the NSA while trying to put off officials' entreaties for more access to the company's network, requests that persisted for years.
The documents state that Nacchio and another senior Qwest executive met with NSA officials at their headquarters at Fort Meade, Md., on February 27, 2001. At this meeting, the agency proposed Qwest's participation in certain activities whose details are redacted from the court documents.
"Nacchio said it was a legal issue, and they should not do something their general counsel told them not to do," according to federal investigators who interviewed the former head of Qwest's government business unit, James F.X. Payne. "Nacchio projected that he might do it if they could find a way to do it legally."
Payne told investigators that the NSA requests came up "in meetings after meetings." Investigators quoted Payne as saying, "There was a feeling also that the NSA acted as agents for other government agencies." Payne could not be reached for comment.
Although the NSA's specific request for an Echelon-like program may have worried Qwest's attorneys, it appears that the company was sharing other kinds of proprietary information about its network with the Pentagon in the months before 9/11.
In May 2001, then-Commerce Secretary Donald Evans told the Senate Appropriations Committee that his department had helped to persuade Qwest to "share proprietary information with the Defense Department to evaluate the vulnerability of its network." (The Commerce Department includes an agency that is responsible for telecom policy.) Qwest, Evans noted, was the largest carrier in the Rocky Mountain corridor. That area is home to some of the military's most important command-and-control facilities, including the U.S. Strategic Command, which oversees nuclear weapons.
By the time the NSA asked for Qwest's assistance in February 2001, the company had become a darling of the Internet Age. Founded in 1988 by Philip Anschutz, who owned the Southern Pacific Railroad, Qwest built the first all-digital, fiber-optic network by laying lines alongside railroad tracks, then linking to terminals in key locations to provide high-speed Internet and data connections.
The Defense Department operates its own classified networks, which are more resistant to attack, but Qwest's network was faster, more expansive, and more technologically advanced. Nacchio's legal documents show that from the late 1990s and into the new century, Qwest was chasing at least two lucrative deals to build private, secure networks for defense and intelligence agencies.
Qwest's first high-level contact with the NSA may have occurred as early as 1997. Late that year, according to Nacchio's legal briefs, Qwest was informed that a military "general officer wanted to meet with Mr. Nacchio." Two weeks later, a three-star (lieutenant) general and his aide showed up at Nacchio's Denver office and told him that they had "heard about Qwest's new network." Nacchio described the operation and "talked about his background at AT&T, with which they were already familiar," the documents state. Nacchio had spent more than a quarter-century with AT&T before taking over at Qwest in 1997.
At some point, the general -- whose name and affiliation are omitted from the documents -- asked to speak privately with Dean Wandry, who led Qwest's government business unit at the time. "The general told Mr. Wandry that he ran the largest telecom operation in the world, he had looked at Qwest's network, and he wanted to use it for government purposes," the documents state. By law, the head of the NSA must be at least a three-star general or a vice admiral. In 1997, Lt. Gen. Kenneth Minihan was the director. He was replaced in 1999 by Lt. Gen. Michael Hayden, who is now a four-star general and the director of the CIA. Hayden declined to be interviewed for this story. An assistant to Minihan, who is now a managing director with Paladin Capital Group, a private equity firm in Washington, said he was unavailable for comment.
A number of former intelligence officials said that the description of a three-star general running the "largest telecom operation in the world" seemed to fit the NSA. In 1997, the Defense Information Systems Agency, which manages a large telecom enterprise, was also run by a lieutenant general. But that agency's operations are smaller than the NSA's. Also, Qwest's first contact with DISA occurred after the 1997 meeting with the unnamed military officer, according to Nacchio's legal filings. Qwest has done unclassified work for DISA, and it received a large contract from the agency as recently as last year.
After the Denver meeting, Wandry told Nacchio "that there was a big opportunity here for Qwest," the court filings state. Nacchio received a security clearance "a short time later." Qwest then received a contract from the agency, which Nacchio wanted to announce publicly. He was "refused permission," the briefs state, but he "understood at the time this was the beginning of a relationship which had enormous potential for future work. This proved increasingly true as time went on."
Qwest certainly worked for the NSA beginning at least in 1999. A search of Internet number registration files shows that the company allocated a portion of its network that year to the Maryland Procurement Office at Fort Meade, which is the NSA's contracting unit. An e-mail from employees in Qwest's government business group, sent in December 1999, requested a meeting with senior executives "to discuss the potential opportunity with the Maryland customer." (DISA, it should be noted, is headquartered in Virginia.) By 2001, the company was pursuing the NSA's Groundbreaker contract. And in March of that year, Payne, who by then was running the company's federal business, wrote in an e-mail to colleagues that Qwest was already a "provider" of telecom services to the NSA through existing contracts.
Meanwhile, concern was rising at the NSA that the proliferating global Internet might become a weapon for U.S. adversaries. As early as June 1998, then-NSA Director Minihan testified before the Senate Governmental Affairs Committee about "a wide array of malicious actors -- including hackers, terrorists, and nation-states," all of whom threatened "users of networked information systems."
Minihan singled out Russia and China; the latter, he said, had already incorporated cyber-warfare into its military training. He also pointed to the emergence of "transnational security challenges," including terrorism, drug trafficking, and international organized crime. "These opportunists, enabled by the explosion of technology and the availability of inexpensive, secure means of communication, pose a significant threat to the interests of the United States and its allies," Minihan said.
A former senior NSA official said that the agency also worried that because these groups understood privacy laws so well, they knew how to avoid detection and could predict what the NSA would, and wouldn't, do to track them. "There was such a nuanced understanding of how to tie us in knots and use American law against us, that there were certainly pockets of people saying, 'We've got to be assertive; we've got to be more aggressive on this,' " the former official said.
Hayden, who ran the NSA from 1999 to 2005, was well known for his willingness to push operations to the legal edge. "We're pretty aggressive within the law," Hayden said in public remarks after 9/11. "As a professional, I'm troubled if I'm not using the full authority allowed by law."
Hayden has repeated that refrain since the attacks. But former intelligence officials doubted that he would have authorized any request to Qwest, or other companies, that he believed violated the law. They noted, however, that many in the agency had long thought that monitoring "metadata," such as a phone number, the length of a call, or a series of calls placed from a particular phone, didn't implicate privacy because such information didn't constitute the "content" of a message -- its written or spoken words.
Published in National Journal
Friday, November 02, 2007
Beginning in February 2001, almost seven months before the 9/11 terrorist attacks, the government's top electronic eavesdropping organization, the National Security Agency, asked a major U.S. telecommunications carrier for information about its customers and the flow of electronic traffic across its network, according to sources familiar with the request. The carrier, Qwest Communications, refused, believing that the request was illegal unless accompanied by a court order.
After terrorists attacked the United States on September 11, the NSA again asked Qwest, as well as other telecom companies, for similar information to help the agency track suspects with the aim of preventing future attacks, current and former officials have said. The companies responded in various ways, with Qwest being the most reluctant to cooperate. However, in February 2001, the NSA's primary purpose in seeking access to Qwest's network apparently was not to search for terrorists but to watch for computer hackers and foreign-government forces trying to penetrate and compromise U.S. government information systems, particularly within the Defense Department, sources said. Government officials have long feared a "digital Pearl Harbor" if intruders were to seize control of these systems or other key U.S. infrastructures through the Internet.
A former White House official, who at the time was involved in network defense and other intelligence programs, said that the early 2001 NSA proposal to Qwest was, "Can you build a private version of Echelon and tell us what you see?" Echelon refers to a signals intelligence network operated by the NSA and its official counterparts in Australia, Canada, New Zealand, and the United Kingdom.
The NSA realized that it was blind to many of the new online threats and to who was using the privately owned telecom networks, and it thought that Qwest was in a position to help. The agency needed better intelligence in the face of a burgeoning Internet, and Qwest was then building a high-speed network for phone and Internet traffic that had caught the attention of senior intelligence officials. The NSA, in effect, wanted Qwest to be the agency's online eyes and ears.
Another source said that the NSA wanted to analyze the calls, e-mails, and other transmissions crossing Qwest's lines, to detect patterns of suspicious activity. Telecom carriers routinely monitor their networks for fraudulent activity, the former White House official noted, and so the companies "have an enormous amount of intelligence-gathering" capability. They don't have to target individual customers to "look for wacky behavior," or "groups communicating with each other in strange patterns." That information could augment intelligence that the NSA and other agencies were gathering from other sources, the former official said.
Qwest's then-chief executive officer, Joseph Nacchio, rejected the NSA's request. "He didn't want to go along with that," and his refusal was not greeted warmly in the intelligence community, the former White House official said. Another source, a former high-ranking intelligence official, said that other companies, both before and after 9/11, had less of a problem complying with government requests if they were accompanied by a legal order. The ex-official added that some companies were willing to offer data and to assist the government "as necessary" on a voluntary basis, without a court order.
Nacchio has said publicly that the NSA asked Qwest for customer records after the 2001 terrorist attacks. But the nature of the agency's request before 9/11 has not been disclosed previously. Sources familiar with the activities spoke to National Journal on the condition of anonymity, because the work is still classified.
By early 2001, the NSA was aware of the growing threat of terrorism and was monitoring communications among Al Qaeda members overseas. But the agency, the Defense Department, and the White House also feared Internet-based attacks on U.S. government installations, and they believed that other countries were increasingly interested in cyberspace as a battlefield.
At the same time, the NSA was hesitant to conduct any surveillance activities that might violate long-standing prohibitions on domestic intelligence-gathering without court orders. One way to get the information that the agency and others deemed necessary for network defense was from the telecom carriers.
Nacchio, it appears, believed that the NSA's pre-9/11 request for access to Qwest's network was illegal. The former White House official said that the intelligence-gathering was not targeted at Qwest's U.S. customers, but he acknowledged that handing over customer information without a lawful order could violate the Electronic Communications Privacy Act, a 1986 law that extended wiretapping restrictions on phone calls to include electronic information transmitted by and stored in a computer.
After 9/11, that law was amended by the USA PATRIOT Act, and it became easier for the government to obtain certain private communications. When reports surfaced last year that telecom carriers were participating in a post-9/11 NSA program to analyze customer calling patterns for terrorism indicators, Nacchio's attorney stated publicly that Qwest had refused "to make private telephone records of Qwest customers available to the NSA immediately following [enactment of] the Patriot Act." Nacchio had concluded that the NSA's requests violated the privacy requirements of another law, the Telecommunications Act, his attorney said.
The question of Qwest's involvement with the NSA before 9/11 has surfaced in recent weeks because of Nacchio's appeal of his criminal conviction on 19 counts of insider trading. Nacchio was sentenced to six years in prison in July, but he remains free pending his appeal. He contends that the NSA retaliated against Qwest for not complying with its request by denying the company work under a multibillion-dollar program called Groundbreaker, which outsourced the NSA's unclassified information-technology systems. Federal prosecutors deny that allegation, noting that Qwest was a member of the team that ultimately won the Groundbreaker deal in August 2001.
Nacchio wasn't allowed to use his retaliation argument at his trial. But details of Qwest's interactions with the NSA, as well as years of work that the company performed for the Defense Department and the intelligence community, are contained in legal documents filed by his defense team and made public three weeks ago. Although the documents are partially redacted, they reveal that Qwest aggressively pursued business with the NSA while trying to put off officials' entreaties for more access to the company's network, requests that persisted for years.
The documents state that Nacchio and another senior Qwest executive met with NSA officials at their headquarters at Fort Meade, Md., on February 27, 2001. At this meeting, the agency proposed Qwest's participation in certain activities whose details are redacted from the court documents.
"Nacchio said it was a legal issue, and they should not do something their general counsel told them not to do," according to federal investigators who interviewed the former head of Qwest's government business unit, James F.X. Payne. "Nacchio projected that he might do it if they could find a way to do it legally."
Payne told investigators that the NSA requests came up "in meetings after meetings." Investigators quoted Payne as saying, "There was a feeling also that the NSA acted as agents for other government agencies." Payne could not be reached for comment.
Although the NSA's specific request for an Echelon-like program may have worried Qwest's attorneys, it appears that the company was sharing other kinds of proprietary information about its network with the Pentagon in the months before 9/11.
In May 2001, then-Commerce Secretary Donald Evans told the Senate Appropriations Committee that his department had helped to persuade Qwest to "share proprietary information with the Defense Department to evaluate the vulnerability of its network." (The Commerce Department includes an agency that is responsible for telecom policy.) Qwest, Evans noted, was the largest carrier in the Rocky Mountain corridor. That area is home to some of the military's most important command-and-control facilities, including the U.S. Strategic Command, which oversees nuclear weapons.
By the time the NSA asked for Qwest's assistance in February 2001, the company had become a darling of the Internet Age. Founded in 1988 by Philip Anschutz, who owned the Southern Pacific Railroad, Qwest built the first all-digital, fiber-optic network by laying lines alongside railroad tracks, then linking to terminals in key locations to provide high-speed Internet and data connections.
The Defense Department operates its own classified networks, which are more resistant to attack, but Qwest's network was faster, more expansive, and more technologically advanced. Nacchio's legal documents show that from the late 1990s and into the new century, Qwest was chasing at least two lucrative deals to build private, secure networks for defense and intelligence agencies.
Qwest's first high-level contact with the NSA may have occurred as early as 1997. Late that year, according to Nacchio's legal briefs, Qwest was informed that a military "general officer wanted to meet with Mr. Nacchio." Two weeks later, a three-star (lieutenant) general and his aide showed up at Nacchio's Denver office and told him that they had "heard about Qwest's new network." Nacchio described the operation and "talked about his background at AT&T, with which they were already familiar," the documents state. Nacchio had spent more than a quarter-century with AT&T before taking over at Qwest in 1997.
At some point, the general -- whose name and affiliation are omitted from the documents -- asked to speak privately with Dean Wandry, who led Qwest's government business unit at the time. "The general told Mr. Wandry that he ran the largest telecom operation in the world, he had looked at Qwest's network, and he wanted to use it for government purposes," the documents state. By law, the head of the NSA must be at least a three-star general or a vice admiral. In 1997, Lt. Gen. Kenneth Minihan was the director. He was replaced in 1999 by Lt. Gen. Michael Hayden, who is now a four-star general and the director of the CIA. Hayden declined to be interviewed for this story. An assistant to Minihan, who is now a managing director with Paladin Capital Group, a private equity firm in Washington, said he was unavailable for comment.
A number of former intelligence officials said that the description of a three-star general running the "largest telecom operation in the world" seemed to fit the NSA. In 1997, the Defense Information Systems Agency, which manages a large telecom enterprise, was also run by a lieutenant general. But that agency's operations are smaller than the NSA's. Also, Qwest's first contact with DISA occurred after the 1997 meeting with the unnamed military officer, according to Nacchio's legal filings. Qwest has done unclassified work for DISA, and it received a large contract from the agency as recently as last year.
After the Denver meeting, Wandry told Nacchio "that there was a big opportunity here for Qwest," the court filings state. Nacchio received a security clearance "a short time later." Qwest then received a contract from the agency, which Nacchio wanted to announce publicly. He was "refused permission," the briefs state, but he "understood at the time this was the beginning of a relationship which had enormous potential for future work. This proved increasingly true as time went on."
Qwest certainly worked for the NSA beginning at least in 1999. A search of Internet number registration files shows that the company allocated a portion of its network that year to the Maryland Procurement Office at Fort Meade, which is the NSA's contracting unit. An e-mail from employees in Qwest's government business group, sent in December 1999, requested a meeting with senior executives "to discuss the potential opportunity with the Maryland customer." (DISA, it should be noted, is headquartered in Virginia.) By 2001, the company was pursuing the NSA's Groundbreaker contract. And in March of that year, Payne, who by then was running the company's federal business, wrote in an e-mail to colleagues that Qwest was already a "provider" of telecom services to the NSA through existing contracts.
Meanwhile, concern was rising at the NSA that the proliferating global Internet might become a weapon for U.S. adversaries. As early as June 1998, then-NSA Director Minihan testified before the Senate Governmental Affairs Committee about "a wide array of malicious actors -- including hackers, terrorists, and nation-states," all of whom threatened "users of networked information systems."
Minihan singled out Russia and China; the latter, he said, had already incorporated cyber-warfare into its military training. He also pointed to the emergence of "transnational security challenges," including terrorism, drug trafficking, and international organized crime. "These opportunists, enabled by the explosion of technology and the availability of inexpensive, secure means of communication, pose a significant threat to the interests of the United States and its allies," Minihan said.
A former senior NSA official said that the agency also worried that because these groups understood privacy laws so well, they knew how to avoid detection and could predict what the NSA would, and wouldn't, do to track them. "There was such a nuanced understanding of how to tie us in knots and use American law against us, that there were certainly pockets of people saying, 'We've got to be assertive; we've got to be more aggressive on this,' " the former official said.
Hayden, who ran the NSA from 1999 to 2005, was well known for his willingness to push operations to the legal edge. "We're pretty aggressive within the law," Hayden said in public remarks after 9/11. "As a professional, I'm troubled if I'm not using the full authority allowed by law."
Hayden has repeated that refrain since the attacks. But former intelligence officials doubted that he would have authorized any request to Qwest, or other companies, that he believed violated the law. They noted, however, that many in the agency had long thought that monitoring "metadata," such as a phone number, the length of a call, or a series of calls placed from a particular phone, didn't implicate privacy because such information didn't constitute the "content" of a message -- its written or spoken words.
Published in National Journal
Labels: Cyber War, Law, National Security Agency, Technology, Terrorism
Full Article
The Worm that Turned
Saturday, February 15, 2003
The federal government's fight against one cyber villain changed its response to online attacks.
Wednesday, June 20, 2001
6:30 a.m.
FBI Headquarters,
Washington
After 23 years as a CIA analyst, having briefed the president and his team on every conceivable threat to national security, Bob Gerber was scared. More scared than he'd been in a long time.
Holed up in his cramped, 11th floor office on a stark, colorless hallway at FBI headquarters in Washington, Gerber's stomach turned as he took his first look at a new enemy.
Gerber was a hunter, one of the government's best. These days, he was hunting worms, malicious computer programs let loose into the wild of the Internet by some of computerdom's most brilliant hackers. Two months earlier Gerber, 56, had left his job at the CIA, where he helped write the president's daily intelligence briefing, to head the analysis and warning division at the FBI's National Infrastructure Protection Center. There, he and his crew of more than 60 tracked worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life - electrical power grids, the banking system, water treatment facilities, the World Wide Web.
Worms were the most vicious new beasts to stalk the Internet. But Gerber had never seen a worm quite like the one he confronted that sweltering Wednesday morning in June.
It was named Leaves after "w32.leave. worm," the poisonous file it implanted in unsuspecting computers. Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.
Leaves was hardly the first worm to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the "Year of the Worm." Worms wrought all sorts of damage. They forced computers to delete critical files or erase entire programs. They also allowed hackers to steal personal information from computers' memories. Once they infested their victims, worms made clones, then used their hosts as launching pads for more worms, whose numbers grew exponentially.
In 2000, Gerber and his team began battling a new species of even more virulent super worms. Rather than devour computers' innards, these worms hijacked their victims' controls, rendering them powerless zombies. With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
In the spring of 2000, Gerber's colleagues took on a 15-year-old hacker who called himself Mafiaboy. The teenager turned his zombies loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed denial of service attack that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.
But compared with the Leaves worm, Mafiaboy's creation was a larva. Gerber's best analysts had worked late into the night trying to make sense of a sample of Leaves captured by worm watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Gerber saw fascinated and appalled him.
Leaves was a zombie maker on steroids. It searched out computers already wounded by another Internet scourge called a Trojan, which installs back doors in the machines. Leaves used a Trojan called SubSeven as its entrance. Once transformed, the zombies awaited orders. To communicate with them, Leaves' creator ordered his zombies to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the zombies, from where or why.
Reading the guest registries of chat rooms, Gerber discovered that an army of 1,000 Leaves zombies already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to attack a Web site.
What's more, Leaves contained an electronic gene enabling its creator to control every zombie at once from any Internet connection in the world.
Gerber never had seen a worm so sophisticated or terrifying.
But to exterminate it, Gerber needed more samples to dissect and more time. Pulling out the lines of computer code that told the worm how to behave might help him shut it down. Or, if he could identify the worm maker's ultimate goal, Gerber might be able to head him off.
The FBI group usually worked alone or with a few select federal officials and private sector consultants. But even Gerber's top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America's best hacker trackers could gut this worm.
By pulling such a group together for the first time and then letting it operate largely unsupervised, Gerber created a new model for federal computer crime fighting.
June 29
FBI Strategic Information
and Operations Center,
Washington
Gerber called the most seasoned and cunning code crackers, worm gurus and cyber soldiers from government and industry to meet at FBI headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in the FBI's crisis headquarters, the Strategic Information Operations Center.
It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Network Associates, the FBI, the White House and the Defense Department.
But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Hackers had been penetrating military and intelligence agency computers for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?
The two sides eyed each other warily as Gerber laid out what he knew. The evidence seemed to show that Leaves' creator was preparing a massive denial of service attack. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to attack foreign networks, to bridge the suspicion gap.
Sachs dazzled the room with his observations and theories about Leaves. With casual command of hacker lingo and the history of worms and their attacks, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.
The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.
Days later
Los Angeles
Jimmy Kuo left the meeting to conduct an electronic autopsy.
Kuo, a research fellow at the security firm Network Associates, took samples of the worm home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. "In this line of work, it doesn't matter where you are, as long as you have a laptop computer and a phone," Kuo says.
The Leaves code was a jumbled mess. It was encrypted and compressed - data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the worm's creator, knew his creation would be captured. He ensured the worm wouldn't easily give up its secrets. Kuo ripped apart layers of code with powerful programs to reveal the deeper truths Leaves was hiding.
Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a program to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.
Sharing their discoveries by phone and e-mail, the code crackers found eight variants, or mutations, of the worm. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.
While Kuo ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at the FBI. The group worked smoothly because nobody was in charge, Sachs says. "Egos didn't get in the way of progress." They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the worm's attributes, but little about its purpose.
Mr. Leaves had directed the zombies to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to attack in unison. No doubt, Mr. Leaves soon would begin his onslaught.
Unless someone could find him first.
Early July
FBI headquarters,
National Infrastructure Protection Center
computer investigation unit
FBI Special Agent Michelle Jupina wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves' creator on criminal charges of unlawfully entering a computer. Jupina was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Jupina, 36, was well-versed in cyber jargon. She understood how hackers thought and maneuvered.
The posse saw Leaves as a marvel of engineering. But to Jupina, the worm and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Jupina didn't seem capable of bursting through a hacker's door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn't even know she was a cop until she got up from her seat one day and "I saw a cannon strapped to her side."
But as the posse ripped Leaves apart, Jupina was a constant eavesdropper, digging for evidence in the pile of Leaves' secrets the posse unearthed. Even as new revelations slowed, Jupina and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves' zombies used to receive instructions. They planted tracking devices to pick up the hacker's footprints.
Second week of July
FBI Strategic
Information
Operations Center
Weeks passed. The zombies remained quiet.
Gerber had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no attack.
Ripping continued. The zombie army grew. By July, at least 20,000 computers were encamped in chat rooms or patiently waiting for their orders. "That scared the hell out of us," Gerber says.
Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the worm automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new virus, and told users to download a file to protect their computers. In the file was Leaves.
The bogus warning was badly written and eerily self-congratulatory:
"Yesterday the Internet has seen one of the first of it's downfalls. A virus has been released. One with the complexity to destroy data like none seen before."
Today, hackers often mask their worms as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. "I had a feeling I was dealing with an artisan," Gerber says.
Or possibly a common crook.
Perplexed by the lack of attack, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.
The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 zombies to click for him, Mr. Leaves could make a killing. Some of the sites the zombies visited contained these ads. If the FBI could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.
Convinced Leaves had to have been created for a denial of service attack, the posse scorned this theory. Pulling off one of the biggest attacks ever was the only glory befitting such a brilliant worm.
But something didn't make sense. Mr. Leaves was taking an awful risk by not attacking. Every time he logged on to communicate with his zombies, the FBI had another chance to trace him. Why expose himself? Why not just preprogram the zombies to act on their own? The scam began to seem more believable.
But before the posse could prove its theory, an attack began. It wasn't the work of Leaves.
On July 17, a new worm appeared - Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.
Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The worm exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of worms leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the attack, companies would spend billions of dollars plugging the holes that let Code Red enter.
Able as it was, the posse didn't have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.
The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Jupina and her crew could track down and nab Mr. Leaves before he, too, unleashed his zombie brigades.
For weeks, Jupina and her technicians had laid traps and tracers across the Internet. She wanted the hacker's Internet protocol address, the digits that identify anyone who sends information online. Hackers cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.
In a cache of addresses Jupina had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.
But chasing the address could take Jupina around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Jupina would have her man. Luckily, after some tracking, Jupina hit gold: Mr. Leaves' address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.
Jupina rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The hacker was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.
July 23
FBI headquarters and
South London, England
Back at FBI headquarters, Jupina kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Jupina would know. Jupina waited with Scotland Yard's phone number at the ready. Officers in South London sat tight outside the hacker's residence.
Nothing.
And then, there he was.
Jupina watched as the hacker connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious worms ever known.
Epilogue
The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant - estimates are in the billions of dollars - but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.
Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new worms or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to the FBI.
In November 2002, shortly before leaving the FBI and returning to the CIA, Bob Gerber sat in a new office at FBI headquarters. Next to a bookcase full of hacker treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Gerber pondered Mr. Leaves' motive. The FBI never found evidence the hacker had stolen money using the worm. Gerber and Jupina had brought the case all the way to a collar, yet they might never know Mr. Leaves' ultimate goal. "As far as I know, no one ever asked Mr. Leaves why he did what he did," Gerber says.
And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves worm received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.
The lead officer on the case insists the agency has information about the hacker's motives that the FBI hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker's name.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
Published in Government Executive
Saturday, February 15, 2003
The federal government's fight against one cyber villain changed its response to online attacks.
Wednesday, June 20, 2001
6:30 a.m.
FBI Headquarters,
Washington
After 23 years as a CIA analyst, having briefed the president and his team on every conceivable threat to national security, Bob Gerber was scared. More scared than he'd been in a long time.
Holed up in his cramped, 11th floor office on a stark, colorless hallway at FBI headquarters in Washington, Gerber's stomach turned as he took his first look at a new enemy.
Gerber was a hunter, one of the government's best. These days, he was hunting worms, malicious computer programs let loose into the wild of the Internet by some of computerdom's most brilliant hackers. Two months earlier Gerber, 56, had left his job at the CIA, where he helped write the president's daily intelligence briefing, to head the analysis and warning division at the FBI's National Infrastructure Protection Center. There, he and his crew of more than 60 tracked worms, viruses and other computer evils, as well as the hackers who create them. Both threatened daily to shut down the engines of modern life - electrical power grids, the banking system, water treatment facilities, the World Wide Web.
Worms were the most vicious new beasts to stalk the Internet. But Gerber had never seen a worm quite like the one he confronted that sweltering Wednesday morning in June.
It was named Leaves after "w32.leave. worm," the poisonous file it implanted in unsuspecting computers. Like all worms, Leaves bored through cyberspace, probing Internet connections for holes in personal computers or Web servers. It slithered inside the machines and spewed venomous strings of data that threw its victims into electronic shock.
Leaves was hardly the first worm to infest the Internet. In fact, the pests became so common in 2001, that security cognoscenti dubbed it the "Year of the Worm." Worms wrought all sorts of damage. They forced computers to delete critical files or erase entire programs. They also allowed hackers to steal personal information from computers' memories. Once they infested their victims, worms made clones, then used their hosts as launching pads for more worms, whose numbers grew exponentially.
In 2000, Gerber and his team began battling a new species of even more virulent super worms. Rather than devour computers' innards, these worms hijacked their victims' controls, rendering them powerless zombies. With a gang of zombies at his command, the creator of a superworm could mob a Web site or computer system, flooding it with bogus electronic transmissions until it drowned in the data torrent.
In the spring of 2000, Gerber's colleagues took on a 15-year-old hacker who called himself Mafiaboy. The teenager turned his zombies loose on World Wide Web giants Amazon.com, eBay and Yahoo!, launching what is called a distributed denial of service attack that shut down business at the sites for five hours. It cost shareholders and the companies billions and shocked the Web world.
But compared with the Leaves worm, Mafiaboy's creation was a larva. Gerber's best analysts had worked late into the night trying to make sense of a sample of Leaves captured by worm watchers at the SANS Institute, a computer research center in Bethesda, Md. They let Leaves infect a computer, and then they watched how it behaved. What Gerber saw fascinated and appalled him.
Leaves was a zombie maker on steroids. It searched out computers already wounded by another Internet scourge called a Trojan, which installs back doors in the machines. Leaves used a Trojan called SubSeven as its entrance. Once transformed, the zombies awaited orders. To communicate with them, Leaves' creator ordered his zombies to rendezvous online through Internet Relay Chat channels. He also told them to visit certain Web sites and download encrypted information to receive instructions on what to do next. No one knew who was controlling the zombies, from where or why.
Reading the guest registries of chat rooms, Gerber discovered that an army of 1,000 Leaves zombies already was on the march. Mafiaboy, by contrast, had a few hundred conscripts and sometimes used only a dozen to attack a Web site.
What's more, Leaves contained an electronic gene enabling its creator to control every zombie at once from any Internet connection in the world.
Gerber never had seen a worm so sophisticated or terrifying.
But to exterminate it, Gerber needed more samples to dissect and more time. Pulling out the lines of computer code that told the worm how to behave might help him shut it down. Or, if he could identify the worm maker's ultimate goal, Gerber might be able to head him off.
The FBI group usually worked alone or with a few select federal officials and private sector consultants. But even Gerber's top-flight team was daunted by Leaves. It was time to call in help. Only a public-private posse of America's best hacker trackers could gut this worm.
By pulling such a group together for the first time and then letting it operate largely unsupervised, Gerber created a new model for federal computer crime fighting.
June 29
FBI Strategic Information
and Operations Center,
Washington
Gerber called the most seasoned and cunning code crackers, worm gurus and cyber soldiers from government and industry to meet at FBI headquarters. On a Friday afternoon, 10 days after Leaves was discovered, the posse gathered in the FBI's crisis headquarters, the Strategic Information Operations Center.
It was the most concentrated arsenal of computer crime-fighting talent the government ever had gathered. They came from leading security companies Symantec and Network Associates, the FBI, the White House and the Defense Department.
But there was a hitch. The private experts were uneasy. Could they trust the G-men? Uncle Sam was a bumbling bureaucrat. His security was notoriously lax. Hackers had been penetrating military and intelligence agency computers for years. What could federal officials possibly know about fighting an enemy as elegant as Leaves?
The two sides eyed each other warily as Gerber laid out what he knew. The evidence seemed to show that Leaves' creator was preparing a massive denial of service attack. Everyone would have to work together to stop it. Mistrust would keep them apart. It took Marcus Sachs, a cyber soldier from a Pentagon unit trained to attack foreign networks, to bridge the suspicion gap.
Sachs dazzled the room with his observations and theories about Leaves. With casual command of hacker lingo and the history of worms and their attacks, he demonstrated both the expertise of the government corps and the urgency of defeating this unique and dangerous foe.
The ice melted. Slowly, a simple sheet of paper passed around the room. First one, and then the next, wrote down his name, e-mail address and phone number. The Leaves posse came to life and it readied for a fight.
Days later
Los Angeles
Jimmy Kuo left the meeting to conduct an electronic autopsy.
Kuo, a research fellow at the security firm Network Associates, took samples of the worm home to Los Angeles. Many in the Leaves posse returned home to operate on their own turf, not from a single base in Washington. "In this line of work, it doesn't matter where you are, as long as you have a laptop computer and a phone," Kuo says.
The Leaves code was a jumbled mess. It was encrypted and compressed - data had been squeezed together to save space. Mr. Leaves, as some in the posse had begun calling the worm's creator, knew his creation would be captured. He ensured the worm wouldn't easily give up its secrets. Kuo ripped apart layers of code with powerful programs to reveal the deeper truths Leaves was hiding.
Other members of the posse were ripping Leaves, too, untying its knotted innards. One wrote a program to mimic the Trojan that Leaves used as a back door. The posse laid the trap across the Internet.
Sharing their discoveries by phone and e-mail, the code crackers found eight variants, or mutations, of the worm. Mr. Leaves was tweaking his weapon, finding new ways to deliver it. And he was moving faster than the posse.
While Kuo ripped in Los Angeles, a posse member watched for abnormal Internet traffic from SANS in Bethesda. Still others huddled at the FBI. The group worked smoothly because nobody was in charge, Sachs says. "Egos didn't get in the way of progress." They worked fast, but as days passed, their analysis yielded fewer new results. They learned much about the worm's attributes, but little about its purpose.
Mr. Leaves had directed the zombies to synchronize their clocks with the Naval Observatory clock on the Web. The army was prepared to attack in unison. No doubt, Mr. Leaves soon would begin his onslaught.
Unless someone could find him first.
Early July
FBI headquarters,
National Infrastructure Protection Center
computer investigation unit
FBI Special Agent Michelle Jupina wanted two things: to find Mr. Leaves and to lock him up. The bureau sought Leaves' creator on criminal charges of unlawfully entering a computer. Jupina was at the first posse meeting in June, but she kept a low profile. Assigned to the infrastructure protection center, Jupina, 36, was well-versed in cyber jargon. She understood how hackers thought and maneuvered.
The posse saw Leaves as a marvel of engineering. But to Jupina, the worm and its maker were just garbage to clean up. Short, quiet and hidden under a mane of frosty blonde hair, Jupina didn't seem capable of bursting through a hacker's door and yanking him off his keyboard. She was so unobtrusive that a posse member recalls he didn't even know she was a cop until she got up from her seat one day and "I saw a cannon strapped to her side."
But as the posse ripped Leaves apart, Jupina was a constant eavesdropper, digging for evidence in the pile of Leaves' secrets the posse unearthed. Even as new revelations slowed, Jupina and the agents under her command feverishly followed leads. Steadily, they shut down the Web sites Leaves' zombies used to receive instructions. They planted tracking devices to pick up the hacker's footprints.
Second week of July
FBI Strategic
Information
Operations Center
Weeks passed. The zombies remained quiet.
Gerber had issued a public warning about Leaves on June 23. The private sector posse members had warned their customers. News that Leaves was on the loose circulated through the computer security trade press. But still no attack.
Ripping continued. The zombie army grew. By July, at least 20,000 computers were encamped in chat rooms or patiently waiting for their orders. "That scared the hell out of us," Gerber says.
Mr. Leaves was getting wily. Whenever the team shut down one Leaves chat room the worm automatically created a new one. Mr. Leaves tried new methods, too. On July 9, one of the companies in the posse found an e-mail claiming to be a security bulletin from Microsoft Corp. The bulletin warned of a new virus, and told users to download a file to protect their computers. In the file was Leaves.
The bogus warning was badly written and eerily self-congratulatory:
"Yesterday the Internet has seen one of the first of it's downfalls. A virus has been released. One with the complexity to destroy data like none seen before."
Today, hackers often mask their worms as official security warnings, but this was the first use of the tactic. Like many outlaws, Mr. Leaves inspired a certain grudging admiration within the posse chasing him. "I had a feeling I was dealing with an artisan," Gerber says.
Or possibly a common crook.
Perplexed by the lack of attack, someone in the posse posed a new theory: Perhaps instead of damage, Mr. Leaves sought money.
The posse knew that some companies paid Web surfers to click on advertisements on their sites in order to inflate estimates of the success of the ads. With 20,000 zombies to click for him, Mr. Leaves could make a killing. Some of the sites the zombies visited contained these ads. If the FBI could find an account where Mr. Leaves put the funds, trace it to a physical address and tie it to him, the case might be solved.
Convinced Leaves had to have been created for a denial of service attack, the posse scorned this theory. Pulling off one of the biggest attacks ever was the only glory befitting such a brilliant worm.
But something didn't make sense. Mr. Leaves was taking an awful risk by not attacking. Every time he logged on to communicate with his zombies, the FBI had another chance to trace him. Why expose himself? Why not just preprogram the zombies to act on their own? The scam began to seem more believable.
But before the posse could prove its theory, an attack began. It wasn't the work of Leaves.
On July 17, a new worm appeared - Code Red. It was named after Mountain Dew Code Red soda, the only thing that kept two private sector analysts awake as they tracked it day and night.
Leaves propagated like a rare illness, targeting only victims with weakened immunity. But Code Red spread like smallpox. The worm exploited a ubiquitous hole in one of the most popular brands of Microsoft Web servers. In a few hours, Code Red had eaten into more than 100,000 servers worldwide. The swarm of worms leaping from machine to machine caused an electronic traffic jam, slowing all Internet traffic. In the aftermath of the attack, companies would spend billions of dollars plugging the holes that let Code Red enter.
Able as it was, the posse didn't have the strength to fight both Code Red and Leaves at once. The choice was clear: Code Red took precedence.
The Leaves posse had built a new model for chasing Internet outlaws. They honed it battling Code Red. But fighting the new menace left Leaves on the back burner. All they could do was hope that Leaves was no more than an Internet heist or pray that Jupina and her crew could track down and nab Mr. Leaves before he, too, unleashed his zombie brigades.
For weeks, Jupina and her technicians had laid traps and tracers across the Internet. She wanted the hacker's Internet protocol address, the digits that identify anyone who sends information online. Hackers cover their tracks by erasing those addresses from the servers they use. But Mr. Leaves had slipped.
In a cache of addresses Jupina had pulled off a server in Oklahoma at the end of June, she found one used by Mr. Leaves. It was a hot lead.
But chasing the address could take Jupina around the world. And she could nab Mr. Leaves only if he lived in a country that considered hacking a crime. If he did, the company that provided his Internet service would have to cough up his home address and Jupina would have her man. Luckily, after some tracking, Jupina hit gold: Mr. Leaves' address originated in the United Kingdom, home to some of the toughest computer crime statutes in the world.
Jupina rang the Scotland Yard computer crime unit. Within days they traced the Internet address and attached it to a name and a place. The hacker was a 24-year-old man living in one of the seedier sections of London. Scotland Yard set up a stakeout at his digs.
July 23
FBI headquarters and
South London, England
Back at FBI headquarters, Jupina kept watch on a computer monitoring the Oklahoma Web server. When Mr. Leaves logged on again, Jupina would know. Jupina waited with Scotland Yard's phone number at the ready. Officers in South London sat tight outside the hacker's residence.
Nothing.
And then, there he was.
Jupina watched as the hacker connected to the Oklahoma server. She gave the word to Scotland Yard: Go. The officers arrested the creator of one of the most ingenious worms ever known.
Epilogue
The Leaves posse proved itself during the Code Red attack. Code Red made headline news. The FBI, the White House and security companies launched a coordinated campaign to track it, warn the public and take steps to protect vulnerable systems. Crippling of the White House Web site was narrowly avoided; Pentagon Internet connections were temporarily shut off. Damage was significant - estimates are in the billions of dollars - but it would have been worse had the response not been as fast and well organized. No perpetrator has been identified.
Mr. Leaves caused no major damage before the posse rounded him up. And the same team remains on guard against new worms or other cyber threats. When one appears, the posse comes alive. E-mails fly, home telephones ring as the members swing into action, sharing what they know, tracking, dissecting, devising traps and passing evidence to the FBI.
In November 2002, shortly before leaving the FBI and returning to the CIA, Bob Gerber sat in a new office at FBI headquarters. Next to a bookcase full of hacker treatises, with a can of Mountain Dew Code Red displayed prominently on a shelf, Gerber pondered Mr. Leaves' motive. The FBI never found evidence the hacker had stolen money using the worm. Gerber and Jupina had brought the case all the way to a collar, yet they might never know Mr. Leaves' ultimate goal. "As far as I know, no one ever asked Mr. Leaves why he did what he did," Gerber says.
And no one ever may get the chance. In November 2001, the man who confessed to British authorities that he'd created the Leaves worm received a "formal caution," a legal warning usually reserved for juvenile crimes and minor drug offenses.
The lead officer on the case insists the agency has information about the hacker's motives that the FBI hasn't heard. But Scotland Yard refuses to divulge what it knows. Citing British law, officials refuse even to reveal the hacker's name.
Tens of thousands of computers containing now-dormant Leaves worms await instructions from their master. Should they ever again awaken, a posse will be waiting.
Published in Government Executive
Labels: Cyber War, Intelligence, Technology, Terrorism
Full Article