, SecurityFocus 2000-05-17
Former CIA director warns that spies will soon use "instructive" viruses that steal secrets as they spread.
If somebody's put an instructive virus on your system... you've got a serious problem.
As described by Woolsey, an "instructive" virus would spread covertly and use minimal system and network resources as it instructs computers to perform certain functions undetected, like stealing particular secrets from specific targets.
Woolsey gave a law firm with a sensitive case as an example victim. "They get a virus into the local area network that says, 'transfer at midnight, Sunday night, all files on such-and-such a case to this particular outside computer,'" Woolsey explained. "If you've got an instructive virus in your system that is reading out your files to one of your competitors, that may have been going on for some time."
Woolsey served as Director of Central Intelligence for two years ending in January, 1995, and is now with a Washington law firm. He ignited a storm of controversy in March, when he authored a Wall Street Journal op-ed piece attacking reports that U.S. intelligence agencies use the NSA's "Echelon" global surveillance network to spy on European industry for the benefit of American corporations. "Most European technology just isn't worth our stealing," Woolsey wrote.
Wednesday's statements came at the Economic Strategy Institute's Global Forum conference, on a panel titled "Old Armies and Alliances & New Threats (Cyber and Bio-Terrorism)." Also on the panel was Swedish ambassador Rolf Ekeus, Leon Fuerth, assistant to the Vice President for National Security Affairs, and Representative Curt Weldon (R-PA), of the House Armed Services Committee.
Weldon, an outspoken "cyberterrorism" bellwether, drew audible murmurs from the audience by recounting the story of an unidentified hacker who changed the computer-stored blood types of every patient in an unnamed New York hospital. Weldon -- who told the same story at InfowarCon '99 last September -- added no details Wednesday, and the tale continues to defy verification.
Woolsey warned that cyberterrorism is a real threat, and said that terrorists are more dangerous now than during the cold war when they were restricted in their use of mass murder by stabilizing Soviet influences. "The combination of loose organization, the new technologies that they can use to communicate, and the lack of restrictions on mass casualties, creates a very different situation," said Woolsey.
"We have terrorist groups that don't want a place at the table at all, they want to blow up the table and everybody sitting at it," Woolsey said.
The instructive virus may be a valuable tool to such a terrorist by instructing critical computers to shut down vital infrastructures, Woolsey claimed. Industrial spies can use them to steal secrets, and Woolsey warned that even strong crypto is no match for the spy-virus. "Encryption essentially works to protect data on the link, but if you've had your computer or network hacked into or somebody's put an instructive virus on your system and is reading out your files before the data is encrypted, you've got a serious problem," said Woolsey.
Experts say the supposed threat isn't entirely new, and point out that the recent ILOVEYOU virus attempted to steal passwords and email them to a central source while it spread. "The game would be to go through all the email addresses in a company and hope that somebody was stupid," said Richard Smith, a specialist in ferreting out malicious code. "I don't know about state sponsored terrorism, but I could see a private detective hired to get information, who's less than ethical, using this for industrial espionage or divorce cases."
"It seems like if you really wanted to get confidential information... it would make more sense to get an insider, or hack into a system," said Dorothy Denning, a computer science professor at Georgetown University and author of Information Warfare and Security. "If you hack into the system, you're free to browse around. The whole system's yours."
Denning said she believes such viruses are entirely possible, but not very practical, and would only appeal to a narrow field of would-be attackers. "It sounds like something that maybe intelligence agencies might do," said Denning.