Govt. deploys hackers for national defense

IDAHO FALLS, Idaho--Jason Larsen types in a few lines of computer code to hack into the controls of a nearby chemical plant. Then he finds an online video camera inside and confirms that he has pumped up a pressure value.

"It's the challenge. It's you finding the flaws," he said when asked about his motivation. "It's you against the defenders. It comes from a deep-seeded need to find out how things work."

Larsen, 31, who wears his hair long and has braces on his teeth, is a computer hacker with a twist. His goal is not to wreak havoc, but to boost security for America's pipelines, railroads, utilities and other infrastructure, part of a project backed by the Idaho National Engineering and Environmental Laboratory, or INEEL.

Sponsored by the U.S. Department of Energy, the Idaho lab last month launched a new cybersecurity center where expert hackers such as Larsen test computing vulnerabilities. Spread across 890 square miles in a remote area of eastern Idaho, the lab gives experts access to an entire isolated infrastructure such as the one Larsen hacked into.

"I don't think people have an understanding of what could be the impact of cyberattacks," Paul Kearns, director of INEEL, told Reuters. "They don't understand the threat."

In recent months, U.S. security officials have warned that the nation is not prepared against cyberterrorism.

"I am confident that there is no system connected to the Internet, either by modem or fixed connection, that can't be hacked into," said Laurin Dodd, who oversees INEEL's national security programs.

He added that only a computing system totally isolated from the outside, such as that used by the CIA, would be immune to hacking.

Another problem is that many once-isolated systems running railroads, pipelines and utilities are now also accessible via the Internet and thus susceptible to sabotage.

"More and more of these things are being connected to the Internet, so they can be monitored at corporate headquarters," said Dodd, INEEL's associate lab director. "It is generally accepted that the August blackout last year could have been caused by that kind of activity."

"Most people think risk in this area is not going to result in thousands of deaths," he continued. "If somebody could wreak havoc in the financial system by getting into computers and as a result people lost confidence in the financial system, that could be pretty consequential."

Added lab director Kearns: "That's what al-Qaida is all about."

Steve Schaeffer, of INEEL's cybersecurity lab, was recently asked to decode a system designed by General Electric.

"My test was to subvert that guy's system in some manner," he said. "It only took about two months before we had enough information to affect the protocol (and) affect operations. If they can dial into the system, guess what, so can I."

Lab officials emphasize that such hacking occurs within INEEL's own facilities rather than at real-life entities outside. The Swiss engineering group ABB recently signed an agreement to become INEEL's first cybersecurity customer to test their actual vulnerabilities.

INEEL officials tell of a recent visit by an Idaho utility executive who declared his system had no problems. By the end of their demonstration, the shaken executive was asking for a comprehensive review of his company.

In another incident, INEEL's Larsen entered a U.S. agency in Washington, D.C., and hacked into its computer system with a simple handheld computing device, much to the surprise of officials there, a lab official said. Larsen declined to discuss the episode.

When it comes to Larsen's background, there is a fair amount that he and his superiors prefer not to discuss. To gain the skills he has, one must have experience in the nebulous world of hacking.

"This is one of the few places where it is legal to give people those kind of challenges," said Robert Hoffman, head of INEEL cybersecurity and the person who hired Larsen. He said he was impressed that Larsen had written his first computer code at age 13.

"I learned my hacking back when it was a cool thing," said Larsen, as he spoke of computing in the pre-Internet days. He wore a black T-shirt with the inscription "Stop laughing, computers are cool now."

INEEL officials say the lab would not hire anyone who had committed criminal acts and added the employees must obtain security clearances. "How do you know that your wife is not going to clean our your bank account?" Schaeffer said. "You just trust people and you do background checks."

The Idaho cybersecurity effort is part of the Department of Homeland Security's efforts to boost defenses against possible attacks of all kinds. INEEL seeks a delicate balance between encouraging key parts of the U.S. economy to boost their cybersecurity without inspiring any nefarious acts.

"What you don't want to do is increase the threat by advertising what you can do. I think dirty bombs is one example," said Dodd, INEEL's national security head.

Sep, 15 2004