Barrett has reluctantly come to the same conclusion as Cymru’s Steve Santorelli, SANS’s Paller, McConnell, and others: that the only way to create a secure Internet is to start over. The fiber optics can stay and the same chips can be used. But there needs to be a new protocol. It could be privately financed, as banks and others give up on making transactions secure in the current framework, or publicly financed, as the initial Internet research was.
In the meantime, Paller uses some of the same language as Harvard scholar Jonathan Zittrain, author of
The Future of the Internet
—
And How to Stop It.
While calling for a “latter-day Manhattan Project,” Zittrain advocates temporarily putting two operating systems on every personal computer, which isn’t as daunting as it sounds. One would be free to explore the Web but would be barred from making changes to the machine. The other would be walled off and secure. Paller said the same approach could work for the broader network. “One part of it that absolutely has to happen is the ‘red’ and ‘green’ Internet,” Paller said. “The red Internet is what we have now, where nobody knows you’re a dog, and with green you have absolute knowledge of who you’re dealing with.”
An increasing number of authorities are sounding the same theme. “Do we need to develop an enhanced Net, with two-factor authentication [such as passwords and tokens] and secure fingerprints? These are the things we should be working toward, including changing TCP,” the basic protocol Cerf co-wrote, said former cybersecurity czar Schmidt. “I support that. We need to make a good investment in looking toward that direction, instead of fixing it for this week.”
The investments to date have been miniscule, one hundredth of what is needed. In 2007 the National Science Foundation granted just $2.5 million a year to the Global Environment for Network Innovations, a platform for experiments that could lead to a new Internet. The next year, Deutsche Telekom and Japanese computer maker NEC said they would each give $750,000 annually for similar work at a new Clean Slate Lab at Stanford University.
In the longer term, Barrett said, “If we could build ships to put people on a separate planet, we should be able to articulate a specification for a protocol that would make society flourish digitally. We need an Apollo Project, with Vint Cerf and others. That would be pretty exciting. A new protocol could solve network neutrality, security, other flaws, DDoS attacks, and all kinds of scaling issues. Am I sure it’s doable? Absolutely.”
EPILOGUE
ANDY CROCKER RETIRED FROM THE Serious Organised Crime Agency, the squad that absorbed the United Kingdom’s National Hi-Tech Crime Unit, in 2009. He was rewarded with a pension and a commendation at a ceremony led by Britain’s home secretary. The certificate praised Andy’s “outstanding commitment, investigative ability, fortitude and professionalism” in “a complex investigation into a Russian organized criminal enterprise.” The ceremony was conducted behind closed doors, befitting an agency that was as opaque as the FBI and even less effective. Andy began working with Barrett Lyon’s help to set up a private company, Cyber Security Shield, to defend against botnets, aiming at financial companies and government agencies as clients.
The careers of Andy’s key allies inside Russia, including Igor Yakovlev and Anton Pohamov, failed to flourish after their most famous case concluded. Similar trials were not forthcoming. Kazakhstan, meanwhile, reported that it found insufficient evidence to proceed against the man accused of being Brain, prompting SOCA to close the case. Pohamov’s boss, the chief prosecutor in Saratov, announced another in a series of corruption probes against high regional officials and was assassinated by a gunman.
Barrett’s BitGravity did well in Silicon Valley as companies continued to invest in Internet video through the economic downturn. By 2009, BitGravity’s customers included the largest Web video company on the planet, YouTube, and it had been named one of the ten best start-ups at DEMO, the famed technology conference. Private investments valued the company at more than $10 million, with Barrett owning close to 50 percent.
But Barrett himself ran into problems. Always outspoken and skeptical about authority, he clashed with BitGravity co-founder and chief executive Perry Wu over how a few customers had been treated. The battle escalated until the young company’s board had to choose between the two men. Some directors had been close to the CEO for years, and the group as a whole was more accustomed to hearing from Wu than from Barrett. Barrett lost the fight and had to leave the company.
It didn’t take Barrett long to come up with a new idea, combining what he knew about content-delivery networks with the lessons from his war with the botnets. The existing content networks relied on massive company-owned storage and bandwidth, while the botnets had demonstrated that millions of PCs could together form a sort of supercomputer. Barrett thought he might be able to harness the unused bandwidth and processing on idle PCs and networks, letting the owners sell their excess capacity to those who needed it. By fall 2009, Barrett was negotiating with venture capital firms interested in investing millions.
Barrett also grew tired of the FBI as he kept answering agents’ questions without seeing any arrests of members of the group from Costa Rica. Things with Miami agent Paul Betancourt came to a head after Barrett, Andy, and I traveled together to Moscow for research. Betancourt told Barrett he knew about the trip, and he started asking Barrett what he knew about the Russian Business Network. Then Betancourt asked Barrett to fly east and take a polygraph. Barrett declined. He told Betancourt that he didn’t want to hear from him again unless Barrett needed to testify in court.
Other parts of the government, however, grew increasingly interested in Barrett. In June 2009, the Defense Department announced a new Cyber Command under the head of the National Security Agency. At about the same time, Barrett and Andy spoke on a panel at a secret Washington conference, dominated by intelligence officials, on fighting terrorism. Andy talked about how Al Qaeda and other terrorists could easily use the Russian Business Network or other criminal service providers to attack the U.S. Barrett explained why the Internet was being held together with duct tape and needed to be rebuilt.
The spies didn’t seem very interested in launching that kind of effort. But the director of a Pentagon office flush with new money for fighting terrorism online asked Barrett to deliver a menu of offensive weapons he might be willing to provide for hacking into or destroying enemy networks. Barrett did no such thing, instead devoting himself to his new content-delivery company, called 3Crowd Technologies. It would, he mused, put him at the helm of the world’s biggest botnet.
AUTHOR’S NOTE
REPORTING THE RUSSIAN SIDE of the events in this book presented considerable challenges. Despite the fact that the prosecution of the three hackers was a success, the FSB instructed the MVD not to cooperate during my trip to that country, informing the agency that I was “probably” a spy. Inside the hotels where I stayed, muscled security guards kept track of whom I met and spoke into wireless mouthpieces when I moved. I did manage to meet safely with people involved in the case, from the MVD and elsewhere, but most spoke on the condition they not be named. My efforts to contact the men accused of being King Arthur, Brain, the head of Rock Phish, and the author of Bagle, among others, were unsuccessful.
I want to give some flavor from reporting on the ground in Moscow, if for no other reason than to suggest the hurdles before solid technical research and law enforcement. As one example of an on-the-record session, I had been looking forward to an appointment with Kaspersky Labs, which I figured would have a unique perspective. The company is one of the best antivirus outfits in the world. Yet it’s based in the belly of the beast, routinely analyzing malicious programs for Russian police investigations and judges overseeing trials.
I told Chief Executive Eugene Kaspersky, research chief Alexander Gostev, and senior researcher Vitaliy Kamlyuk that I was writing about the hunt for the world’s worst cyber criminals, and that a decent proportion of that group appeared to live nearby. Kaspersky jumped to control the discussion from the outset, writing down possible definitions of“worst.”The greatest financial damage, he said, was in the £229 million cyber heist of a Sumitomo bank branch in London in 2005. Of those arrested, one was Israeli, one was Swedish, and four were from the U.K. Kaspersky appeared pleased. Actually, that attack failed. In terms of damage to the Net, he continued, the worst attacks were the viruses Sasser, Blaster, and Slammer. None of those involved making money. “With hundreds of arrests,” Kaspersky asserted, “we have never had a connection to traditional organized crime.”
The conversation was confusing because the three analysts had different approaches for warding off what one termed “the myth of the evil Russian hacker taking over the world.” Despite the lack of prosecutions, the police have been intent on catching the leaders of the Russian Business Network for two years. Yet at the same time, what the RBN does is legal. The RBN is just a hosting provider. Yet it is close enough to the world of credit card fraudsters that when the founder of McColo, which Gostev called an RBN subsidiary, died as a passenger in a St. Petersburg street-racing accident, the driver fleeing the scene was a well-known carder. The RBN leaders have escaped thus far because they are master criminals—but master criminals who mysteriously have no need of government sponsors.
I asked about politically motivated attacks, such as that against Georgia. “There was no need to attack Georgia,” Kaspersky said, because the fight on the ground went so well for Russia. Gostev reported that a major DDoS attack on Kyrgyzstan was currently under way and that “there are allegations that it’s from the Russian special services.” Kaspersky shook his head. “I don’t think Russia has any reason to attack them,” he said. In fact, Russia had an excellent reason. Days after the electronic assault on its main Internet service providers all but wiped out local Web access, Kyrgyzstan would stun the U.S. by announcing that it would stop letting it use the Manas air base—which was playing a major role in the American war effort in Afghanistan—and join a new regional military alliance led by Russia.
I WANT TO ESPECIALLY THANK the Russians who took considerable risks to speak more forthrightly. Barrett Lyon and Andy Crocker are obviously brave and unusually talented men: they were also exceedingly generous with their time and patience. I am also indebted to other law enforcement officers in the U.S. and England, especially those who dared to speak unofficially.
Cybersecurity is one of the most complex topics in the world today, and no one can hope to understand all aspects of it. Some of the premier experts in government are cited in the text, while others asked not to be exposed. I was fortunate to be aided by many of the most able private researchers, not all of whom are paid for their work, including Joe Stewart, Rafal Rohozinski, Don Jackson, Jart Armin, Paul Ferguson, Avivah Litan, and Dmitri Alperovich. My fellow journalistic specialists also do an important service for followers like me and for the world at large. Among the very best are Brian Krebs, John Markoff, Jon Swartz, Byron Acohido, Kevin Poulsen, Kim Zetter, John Leyden, and Robert McMillan.
I am grateful to my former colleagues at the
Los Angeles Times,
who supported my early reporting and allowed me a leave to write; my new friends at the
Financial Times,
who gave me time to finish; Lindsay Jones and others at PublicAffairs; my agent Jill Marsal; Chris Gaither, who served as an unpaid manuscript editor; and those close to me who dealt with my prolonged distraction and repeated absences.
This book is for all those who face dire consequences for telling the truth but do so anyway.
LosAngeles
—
LasVegas
—
SanFrancisco
—
London
—
Moscow
NOTE5
WEBSITE ADDRESSES LISTED HERE were live as of July 2009. If they no longer work, search-engine caches and
www.archive.org
preserve many old copies. Some are duplicated at
www.josephmenn.com/FatalSystemError
. That site also contains many of the original source documents cited in the body of the book.
Under SOCA’s strict policies, Andy Crocker is not allowed to speak to outsiders about his work at that agency. The account of his activities after SOCA replaced the NHTCU is pieced together from interviews with his allies in law enforcement in Russia, England, and the U.S., as well as with Anton Pohamov and Barrett Lyon.
INTRODUCTION
x
30 percent of Americans had become identity theft victims:
According to analyst Avivah Litan of Gartner Research.
x
$1 trillion a year to Internet criminals:
According to a McAfee analysis cited by President Barack Obama in May 2009.
xi
catching less than 1 percent of the bad guys:
Litan.
4
as much as $5 million:
BetCRIS has given out conflicting estimates of its revenue and has tended to exaggerate. This number is based on internal figures.