Shrieking in Cyberspace

This is bad news for cyberterror buffs, because it eliminates from discussion 99 percent of the cases cited as proof that cyberterrorism is a clear and present danger. There's simply not much blood and guts in the hacker users manual. There are, however, a multitude of methods for screwing up another computer, slowing down a Web site or stealing private files.

After the standoff between China and the U.S. over a downed spy plane one year ago, the home pages of the White House, the Air Force and another 1,200 American Web sites were hacked, many tagged with political slogans. Such Web defacements have become routine in Israel, where pro-Palestinian hackers have declared a "cyber jihad" and Israelis have organized a "cyber militia" whose handiwork includes the sudden appearance of porn on the homepage of those fun-loving hedonists, Hamas.

More damaging are so-called denial-of-service attacks, previously employed to clog NATO servers following the U.S. bombing of Serbia. John Arquilla, a leading Pentagon info-war theorist and a visiting lecturer of public policy at Pepperdine University, sounds like he's analyzing an invasion of mighty warriors when he describes "master hackers" and their power to "amass enormous arsenals of zombies." But USC's Thomas wonders whether terrorists get so worked up over what is essentially a nasty trick for freezing Web sites and disrupting e-mail. "I just can't imagine some lieutenant going back to Osama bin Laden and saying, 'We've struck terror in people's hearts -- Yahoo! was inaccessible for over an hour,'" he says.

By far the most damaging form of computer attack is the total takeover, in which a hacker hops over firewalls, puzzles out passwords and gains complete control of a system. It's called "breaking root," and it's the brass ring of hacking. Break root, the theory goes, and you can do anything a computer can: fluctuate the value of the U.S. dollar, stop traffic in midtown Manhattan or redirect all 911 calls to a single pizza parlor.

Breaking root is the basis of all the scarier cyberterror stories, from the global meltdown of Tom Clancy's Net Force series to the recent FBI reports that al Qaeda hackers may be learning about the digital devices commonly used in American network systems. While total takeover sounds alarming, computer experts say it's really not such a catastrophic event. In fact, it happens all the time. The CERT Coordination Center, a government-supported computer emergency response team at Carnegie Mellon University, logged some 52,658 security breaches and attacks in 2001. Experts say between a quarter and a half of those involved a hacker gaining total control of a system. Do the math and you find that in one year, hackers went for more than 13,150 joy rides -- and those are just the ones that freaked out their owners enough to call in government computer cops.

"It's one thing hacking in -- it's another thing entirely operating one of these systems," says Erik Ginorio, a former hacker and FBI informant from San Francisco who now works in private security. "To do real damage or make a system do something the owner doesn't want done, you need real experience on high-end stuff. You need equipment and tons and tons of knowledge about the systems we're running. And there's just not that much of that high-end equipment floating around out there."

HERE'S NOTHING HYPOTHETICAL about the billions of dollars flooding into the cybersecurity industry. In fact, cyberterrorism may be the best thing to happen to the tech sector since Y2K hysteria -- except this boom has no built-in expiration date. According to Forrester Research, U.S. businesses spent $5.7 billion protecting computer data the year before the attacks on the World Trade Center. Next year they'll shell out an estimated $13.6 billion, with projections climbing every year through 2006.

EDS, the tech giant founded by Ross Perot, is currently building a secure private Intranet for the Navy and Marine Corps at a cost of more than $6 billion. Meanwhile, sales of antivirus, intrusion- detection and other security software have skyrocketed, and computer geeks are recasting themselves as chief security officers, a new executive- level post that that can fetch salaries of $400,000. Even the CIA is hitching a car to the money train, establishing a venture-capital firm called In-Q-Tel (named after the James Bond sidekick) to partner with companies developing, among other things, anti-cyberterror technology.

Lower down the food chain are the thousands of consultants, analysts and educators who make their living warning of the dangers lurking inside our laptops. "I caught the wave," says Matt Devost, a computer engineer from Washington, D.C., who got into the business at the tender age of 21 after writing his thesis on info war. He hit the speaking circuit before graduating, got a consulting gig with the Department of Defense and now runs a "multimillion-dollar research-analysis company" called Technical Defense Inc. "It was just starting when I got started, and it's grown ever since."

Devost can provoke jitters in the most hardened CEO describing his experiences as a "white hat" hacker hired to attack computer networks. He's hacked public utilities, air-traffic-control systems and such corporations as Microsoft and Citygroup, and he says he routinely finds himself in a position where he could steal vast stores of money or trade secrets or make his presence known to millions of innocent bystanders.