Our story so far: Our hero, Frank Adversego is trying to catch a hacker threatening the Library of Congress, whose motives remain obscure. But the pursuer is about to become the pursued. Read the first chapter here, and follow the Further Adventures of Frank on Twitter.
While Frank was enjoying himself spear phishing venture capitalists, back at the Library of Congress files were flashing out of virtual view like fireflies on a summer’s eve. One by one, documents important and banal, short and long, drifted silently off in the digital darkness to points unknown, leaving only Alexandria Project contribution screen code behind.
Thus it was that at 10 on Friday morning, Frank’s office phone buzzed, and he heard the receptionist say, “Your turn, Frank. Conference room two.”
Frank logged off his computer and stood up with a thoughtful look on his face. Just enough time for a little self-coaching as he walked down the hallway. Stay cool, he thought. Be calm. You don’t have anything to worry about, so just tell the news.
That sounded good, but then again being interrogated – okay, interviewed – by a CIA agent wasn’t something he recalled reading in his job description. And it didn’t help that the interview sheet at the front desk included the names of only a few IT department staff, or that he was unable to puzzle out why one person’s name appeared and another’s didn’t. Maybe those that did were just a cover for including him? Or maybe the counterintuitive choices were intended to confuse him and put him off balance? Anything was possible. Hell, this was the CIA, for Pete’s sake..
And while we’re at it, he thought, why were these interviews being conducted by the CIA at all, and not the FBI? Nobody knew where the attacks were coming from, and this was a domestic location – wasn’t that the FBI’s turf.
And lucky him – nobody else being interviewed had any reason to be nervous, as the little chats were being passed off as just another part of the LOC security project. Per George’s latest email memo, the recent file grabs were part of stress-testing the system, and the contribution screens were just intended to dramatize the importance of the task at hand. Likely enough only Frank suspected that these interviews were deadly serious. So while others might be expecting a half hour break from the tedium of their jobs, he had to worry whether any trace of anxiety would put him on a watch list.
But the door was ajar when Frank reached the conference room, so the interview’s tie had come. Frank paused to collect himself, and then rapped on the door frame before walking in.
Seated at the table was someone in his late twenties. Frank took in the expensively styled haircut, silk tie and gratuitous suspenders. The CIA, it seemed, had sent over someone that had attended too many spy movies for his own good.
Frank had expected either some bored, bureaucrat type, or someone genuinely intimidating. But in either case, someone older and more experienced. Instead, he was going to be quizzed by this self-important kid. Frank smiled to himself at the young man’s formal demeanor as he walked into the room. Nothing that a stalled career, mortgage and weight problem couldn’t cure in a few years, Frank thought. This would be a cake walk.
“Have a seat,” the young man said without rising. “Mind if I tape our conversation?’
“That’s a rhetorical question, I assume?” Frank responded, realizing he was off script already.
“Actually, yes. Thanks for your permission.” The agent didn’t bother to look up as he put a fresh tape in the recorder.
Frank flushed as he settled into his chair. “And you are?” he asked.
“Agent Cummings,” the young man replied in a distracted voice while writing on the cassette tape box. “Cybersecurity Investigations Unit.”
Cummings slid a microphone into the middle of the table. “Okay, let’s get started. Please state your name and department.”
“Frank Adversego.” Frank said. “Special IT Snafus Unit.” Cummings looked up sharply. Frank smiled.
“Cute.” Cummings replied. “But that’s not your full name, is it? So let’s try that again."
“Okay, Frank Joseph Adversego. Library of Congress IT support staff."
Cummings paused and leaned back in his chair. “Okay, Mr. Adversego. One last try. Please state your full name, with no omissions this time.”
Frank was caught off balance by that one. As far as he knew, his full name didn’t appear anywhere in his employment file.
“Frank Joseph Adversego, Junior.” Frank stated evenly, but his eyes showed his surprise.
“Don’t be shocked, Mr. Adversego. We are the CIA, after all.” Cummings smiled smugly. “Doesn’t your dad mind you dropping the “Jr.?” Cumming raised his eyebrows and folded his hands in his lap.
“If you know my name’s the same as my father’s, then you know I haven’t seen the bastard since I was 12."
“That’s right, Mr. Adversego, as a matter of fact I do know that. Skipped out on you and your mother without warning, I believe. You have my sincerest sympathy. So maybe we can pick up some speed now, yes?"
An hour later, Frank was no longer angry. Just bored. Instead of continuing with pointed questions, Cummings had simply plowed through what appeared to be an endless checklist of topics, probably put together by some poor junior staffer operating on autopilot deep in the bowels of CIA Headquarters out in Langley, Virginia.
Frank sincerely hoped that staff person was young Agent Cummings, who increasingly impressed Frank as a self-important prig without nearly enough mental horsepower to justify his ample self-regard. Frank had never liked company-man types to begin with, and being stuck with a real Company man for this long a spell was testing his patience.
Still, it was a relief to return answers to questions that were such easy lobs. Half were clearly intended to catch Frank giving answers that were inconsistent with facts his personnel file would contain or with questions asked earlier in the hour, while the rest seemed to be intended to nail down what his usual work day was like – what kinds of tasks he performed, what types of directories he needed to access, and so on. If this was Cummings’ big chance to play a real, grown-up Secret Agent he wasn’t making much of the opportunity.
Finally, Cummings paused and began shuffling through his notes. “So what do you think of the LOC’s security architecture?” he asked in an offhand way.
Frank was sneaking a look at his BlackBerry and glanced up. “What do you mean?"
Cummings was still shuffling. “That’s up to you. It’s an open ended question.”
Frank paused. Was this a random question, or a trick one? What did Cummings expect him to say?
“Well, I guess it’s okay,” he replied.
“Okay? That’s pretty non-specific.”
“I guess you could say that. Or you could say that it’s an open ended answer.” Frank smiled sweetly.
Cummings smiled back. “Okay. Let’s try this one then. Does the LOC’s architecture meet the standards of a MacArthur Genius Award winner?”
Frank wasn’t going to let Cummings get him off balance this time. It’s my turn now, he thought, and you haven’t laid a glove on me yet. “My, my. Didn’t you ever learn you can catch more flies with sugar than vinegar, Cummings? By the way, do you have a first name? Oh – I got it – its ‘Agent.’ Say – do you mind if I call you ‘Agent?’ It’s fine with me if you want to call me ‘Frank.’” Frank smiled sweetly.
Cummings stared at him for awhile, clearly weighing how to proceed. “Carl.” He said finally, and put his notes down. “So now – Frank – how about telling me what you really think of the LOC’s security architecture?"
Frank nodded his head up and down happily. “Well, Carl, I’m glad we’re finally getting to know each other better. I’d think it would be tiring calling people “Mr.” and “Ms.” all day, not to mention being “Agented” back in response. It must be bad enough having to ask those same dead end questions over and over."
Frank paused. Carl glared.
Frank decided he’d made his point, and figured it would be foolish to overdo it. So he quit smiling before he began talking again. “Seriously, though, it’s not bad, for a big shop like this. Of course, any outfit this large can only do so well. But it’s pretty good.”
“What do you mean, “It can only do so well?”
“Well, like most places, we go by the book, and everybody everywhere uses pretty much the same book, so the bad guys always know what they’re up against. That might be more or less okay, but everybody makes mistakes, and we do, too. Because everyone uses the same book, those mistakes are pretty predictable. So all the bad guys have to do is wait for us to screw up in those predictable places, and they’re in the door.”
Carl starting taking notes again. “Why’s that? How do they know when you’ve made a mistake?”
Frank looked at Carl carefully for a second, and then started to feel more charitable towards him; this kid genuinely didn’t seem to know anything about IT, and here they’d gone and stuck him in the Cybersecurity Investigations Unit.
Frank leaned forward and continued in a more conversational tone of voice. “They don’t have to know when, once they know what the mistakes are likely to be. Here’s an example. You can’t just set up a network, make sure it’s secure, and then forget about it. We’ve got employees coming and going all the time, so that means we’re shutting down old and setting up new desktops all the time. Every time, we’ve got to get everything right, or we might leave a hole in our defenses.
We’re upgrading software all the time, too – not everything at once, but bit by bit, because that spreads the cost and labor out, and because new products and new versions of old products don’t all come out at the same time. Finally, all the hardware has a purchase date, and it all gets cycled out on a fixed schedule for reliability and obsolescence reasons. Once again, every time we change out something, we have to be sure that all of the security settings on the new gear get set up again the right way, or we’ve blown it. Unfortunately, it’s a whole lot easier to forget something than it is to realize it.”
“That still doesn’t tell me how a hacker knows when there’s an opportunity to strike.”
“Like I said, they don’t need to ‘know’ when there’s an opportunity. They just need to know what an opportunity looks like, so they can design a ‘bot – an automatic program – that hammers away every nanosecond at our firewall, waiting for a momentary lapse. All it takes is for a port to be left unguarded for even a moment, or some other minor glitch – and they’re inside. Funny, I was just explaining all of this to my daughter the other day.
Cummings looked suddenly uncomfortable, to Frank’s surprise. “So why do everything the same way?” Cummings said quickly.
“Ah, there’s the rub. Because firewalls aren’t like physical walls. Back at Langley, everybody probably has to pass through just one or two gates to access the grounds, and I’m sure those gates are manned night and day, whenever they’re open. And you’ve certainly got regular and infrared cameras watching the perimeter all the time, and motion detectors besides, and probably more spooky stuff, too, that I’ve never even heard of. People are easy to detect in a half a dozen ways, so I’m sure you’d know in a heartbeat if a bad guy even tried to get in.
Of course, people that want to come in through the gate have to show identification, and for other parts of your facility, they must have to do more than that – you probably use biometric scanners, for example. And all that data can be checked against all kinds of databases before you let them go farther. Once you do let them in, I expect you don’t let them out of your sight unless you already know and trust them. Maybe not even then, I wouldn’t be surprised. And after the U.S. Anthrax attacks back in 2001, every piece of your mail bust be scanned, and zapped with radiation, too.”
“Of course,” Cummings interrupted. “But what does that have to do with cybersecurity? You can’t put physical walls in front of data, and you can’t have a guard checking every email that wants to reach one of your employees.”
“Of course not. But you can very much use exactly the same means in a metaphorical and technical sense – by designing virtual walls and gates, by automatically presenting and checking security credentials against databases, and by scanning attachments and links in email before they’re allowed to be opened.
“Still, though, you can’t “see” a computer program, and that does make it harder to pull off. And remember, I also said that everyone’s firewalls are getting hammered all the time. So returning to the physical world, think what your guards and cameras and other spooky stuff would be up against if instead of looking at wide, floodlit lawns outside your perimeter, there were thousands of people milling up against your fences morning, noon and night? How many guys would you have to have sitting at computer monitors then, trying to figure out which folks were gardeners and which ones were enemy agents, especially if they’re all carrying garden shears?
“But I hear about antivirus software all the time,” Cummings objected. “To use your metaphor, hasn’t someone already figured out a way to tell the gardeners from the spies.”
“Yes and no. There are lots of people trying 24/7 to pick out the bad guys from the gardeners – but when they do figure that out, it’s almost always after some – or maybe a whole lot – of people have already been cut up pretty badly with those shears. So while there are public lists of viruses, worms, and Trojans – altogether, we call them “malware” – somebody had to identify each one as bad stuff before they could put it on the list. Even so, if you’re in charge of security, you’ve got to keep checking that list all the time. Even then, there may or may not yet be a fix you can download to protect yourself.
“Oh yes – and there’s this other big difference between the physical and the digital world. Unlike Langley, where I expect you only welcome in a limited number of carefully pre-cleared visitors a day, there’s this thingy they call the Internet. And oh boy, how we all love the Internet! We want data to be coming in and going out all the time, every day, day and night. It’s like instead of checking people at the Langley gate, we’ve got all four Metro lines going right through the CIA cafeteria, and we’re trying to guard the exits.
Frank was on a roll by now. “But wait – it get’s worse. At least over at the CIA you’re a bunch of spooks, and you only talk about spooky stuff to other card-carrying spooks. You must already be set up to compartmentalize information all up and down the chain and keep things locked down tight. And I expect you’ve got at least one computer system that isn’t connected to the Internet at all, or anything else that is.
“Okay! There’s your answer!” Carl interjected. “Just limit Internet access to just a few people, and cut off the rest. Instead of having a small network that’s disconnected from the Internet and a big one that is, do it the other way around.” He looked pleased.
“Theoretically, you could. But unfortunately, we’re all addicted to access – right up to the top brass. Every day we become more dependent on the Internet, even though we know we probably shouldn’t until we get this cybersecurity thing nailed. We’re like kids in a candy store, that want to have the goodies now and worry about the calories later, even though deep, down inside we know we might lose all our teeth.
“Let’s use the Pentagon as an example – how’s that for a place that needs to worry about cybersecurity? But no, they’re into “network centric operations” now, big time. That means they want everything, everywhere accessible on one big network to anyone with the right clearance. They want to link everyone from a grunt on a mountain trail in Bora Bora to the Joint Chiefs of Staff – and from a road side sensor to a missile silo, too. And until they replace it, everything’s hooked into the same Internet we use at home, so technically every cracker could be able to figure out a way to see and read everything the military can.
“Yeah, but they can’t, right?” Cummings jumped in again. “Otherwise, they wouldn’t be doing it.”
“Oh no?” Frank replied. “Did you see the story the other day about the Taliban intercepting the video from Predator and Reaper drones in Afghanistan, because the Army didn’t think a bunch of terrorists would be sophisticated enough to worry about? It turns out all they had to do was buy some off the shelf software to hack their way in. And now the military says it won’t be able to encrypt the video until at least 2014. How’s that for a case of candy and cavities?”
“So what do you do?” Cummings was taking copious notes.
“Well, to stop that, we have to add an administrative layer to be sure that only the right people can see the right information. That means you have to identify and categorize all that data, and then assign a security level to it and access categories, and so on, and then you also have to credential everyone on the network with the appropriate rights to the appropriate data. But wait – you’re not done yet – because then you also have to administer the matching of credentials with the exchange of only the right data. And did I mention you also have to figure out whether someone logging on is really who they say they are?
“So at the same time that you’re making it technically possible for everyone to have access to everything, you’re also trying to set all of these security conditions so that each person – out of millions of people with some degree of access – can see only what they’re meant to see. Of course, you want to be sure that they can’t change anything they’re not supposed to change, either, because that could be even worse. And remember: there are no armed guards at the security gates checking who gets through the firewall – just computer protocols and programs, all on autopilot. It’s all just software.
“So what’s wrong with protocols and programs?” Carl asked.
“Nothing, up to a point.” Frank replied. “For most commercial purposes, they’re good enough. Matter of fact, there’s a point at which you don’t want to make them better, because the cost becomes prohibitive, or it slows things down too much. At that point, businesses just try and keep them more or less up to date, and plug the gaps with insurance instead of security.
“So economically ‘good enough’ security is what we’ve gotten used to. Think about your plastic credit cards – if someone steals your card and uses it, you don’t worry about it. The card company has a computer program that detects the over-use and shuts it down quick. Yes, the bank may have already lost some money, but that’s built into their profit margin, so the customer doesn’t realize that he’s had to pay a thing. Yes, identity theft is a bigger deal for the person who’s hit, but it hasn’t happened to enough people – yet – to get Congress to intervene.
“So what’s wrong with that?” Cummings asked. “That seems to make sense to me. Why pay for more protection than you need? Credit card costs are already too high.”
“What’s wrong with that is that a lot of things, like national security, aren’t like credit card information. Say we’re talking instead about the Pentagon, or a nuclear power plant, or a Presidential election. You can’t buy enough insurance to cover someone hacking a missile silo, or a nuclear reactor. And insurance couldn’t compensate at all for corrupting the servers tabulating a swing state election, could it?”
Cummings leaned back and folded his arms. “Well, I’m not buying it. I can’t believe the Pentagon, the President and everyone else is just looking the other way while we go to Hell in a cybersecurity hand basket. You must be over stating the problem.”
“Hell no!” Frank snorted. “Haven’t you been listening to me? We haven’t even begun to address cybersecurity the way we need to. What we need to do is get creative – come up with ways to trick the bad guys while still letting the data get through that we want to get through. But instead, we just keep trying to build stronger virtual walls, and forget that we still can’t see the bad guys, or even all the chinks in the walls.
Cummings was no longer taking notes. He sat there quietly, letting Frank run on as he picked up speed.
“When you get down to it, as long as we keep doing things the way we’re doing them now, we’re just kidding ourselves thinking we’ve got any cybersecurity at all. It’s like Homeland security, which is a total joke, only worse. And how can you be worse than Homeland security? It’s more than eight years since 9/11, and we’re still only scanning half the baggage that goes into the holds of passenger planes!
“But it is worse, because the worst can happen, and you might not even know your system has been compromised, so it can keep on happening. The whole damn things a fraud, really – it’s the Emperor’s New Clothes of modern times, just waiting for some smartass terrorist to point out the fact that we’re naked. Except this time, instead of a little kid asking an awkward question, it could be a terrorist, or North Korea, and they’re not going to tell anyone. If something doesn’t happen to make us wake up soon, it could be a very big bang that finally does!”
Frank paused for effect, and then stopped himself short. What happened to just answering questions and telling the news?But Cummings looked pleased. “Thanks, Frank. That was extremely helpful. I confess that I don’t personally know as much about computer systems as I wish I did, and that was very educational.”
Frank looked at Cummings warily; he’d said a lot more than he needed or wanted to.
“So, are we done? I’ve got a stack of work on my desk that isn’t getting done on it’s own.”
“Almost done. There’s just one last thing you could help me with that I haven’t asked the others about, since you seem to understand the hacker mentality so well. Back at the office some of our folks have been putting together a profile of whoever might be behind this Alexandria Project exploit. Mind if I show it to you?”
Frank sat up straighter; this was the first time Cummings had been upfront about the Alexandria Project being a serious matter.
“Okay, sure.”
Cummings pulled a sheet of paper out of his briefcase and slid it across the table. Frank pulled it across the table gingerly and began to read:
Case File: CSIU – CXFGH12KK4 – 7
Suspect Profile
Date: December 15, 2009
Event analysis: The exploit does not appear to be economically motivated, and was clearly meant to be discovered. The person responsible is therefore trying to make one or more points. Possibilities are the inadequacy of LOC security and/or its security staff. Because the exploit is ongoing, the person responsible is demonstrating, and likely reveling, in his self-perceived superiority over those that he knows are trying to track him down.
General:
– Gender: Male – Age: 40 – 55 – Occupation: IT Professional Psychological profile: The suspect will most likely have a very high IQ, be well educated, and creative. He will have a history of rebellion and lack of respect for authority, and be overly impressed with his own talents. He will have a low opinion of those who he thinks are incapable of thinking outside the box, including his superiors and his co-workers, and will not conform well to normal job expectations. He will therefore likely have held many jobs, and few for very long. The suspect’s personality will have rendered him socially isolated at a young age, and a loner throughout adulthood. He will have formed few close connections with his co-workers.
Motivation: The suspect resents his lack of traditional success, and particularly the promotions of those that he believes are his intellectual inferiors. He is likely be obsessed with security issues, and convinced that only he truly understands the danger they present. He will justify his vindictive acts to himself as heroic acts that only he can perform. It is likely that his crimes have been triggered by a specific act or event that offended his sense of self worth, such as the promotion of a co-worker.
Reviewed by: CRC, GLW, FXR
Approved: FXR
Frank looked up carefully when he was through. Yes, Cummings was looking at him with a faint smile.
“So what do you think, Frank? Does that profile hold water? Maybe even sound like someone we should be checking out?”
Frank felt clammy inside his clothes. “I can understand how this might make sense to you.” he said finally.
“Good!” Cummings said, as he placed the profile back in his briefcase and packed up his recorder. “That’s a very helpful confirmation, coming from someone with your background and experience.”
“I’ve got just one last question, then.”
Frank waited.
“Will you be home this evening?” Frank nodded, surprised.
“Good.” Carl said, snapping his briefcase shut. “I’ll stop by around 7:00 PM to pick up your passport.”
While Frank was enjoying himself spear phishing venture capitalists, back at the Library of Congress files were flashing out of virtual view like fireflies on a summer’s eve. One by one, documents important and banal, short and long, drifted silently off in the digital darkness to points unknown, leaving only Alexandria Project contribution screen code behind.