At Boeing Co.'s cyber operations center in St. Louis, a flashing, 54-inch computer screen warns of modern-day burglars and spies.
In an hour’s time on a typical morning this spring, Boeing’s elaborate detection system logged 3,722 suspicious efforts to gain access to the company’s global computer network.
Boeing analysts worked swiftly with company cyber sleuths at other locations to secure the network and identify would-be intruders.
But tracking the hackers can be tough, even with their nine-digit Internet Protocol addresses flickering in vertical rows on the huge color monitor.
“The bad guys are really good at hiding their tracks,” said Kevin Nikkel, a Boeing security analyst.
They’re persistent, too — to an extent that most people can’t fathom. At Boeing, the automated attacks don’t stop, keeping teams of security analysts busy around the clock.
And that’s just at Boeing.
The new head of the U.S. Cyber Command, Gen. Keith Alexander, revealed this month that Pentagon systems are attacked 250,000 times an hour, 6 million times a day. The attackers range from foreign intelligence agents to for-profit criminal enterprises to hackers trying to make mischief, security specialists say.
“In short, we face a dangerous combination of known and unknown vulnerabilities,” said Alexander, who also heads the National Security Agency.
As the federal government moves to address those vulnerabilities, defense contractors such as Boeing are pushing aggressively to win lucrative contracts. Companies accustomed to selling weapons to the government also are bidding for work in secret military programs to develop offensive cyberwarfare tools.
At the heart of the debate is the reality that hackers are aiming at business networks as well as home computers with increasingly sophisticated techniques. They are trying to steal everything from intellectual property to personal financial information — or perhaps they merely hope to cripple systems in “denial of service” attacks. The National White Collar Crime Center reported $560 million in losses from a variety of Internet crimes last year, more than double the reported losses a year before.
“It’s an enormous problem that has been creeping up on us,” said Ronald Ross, a government computer scientist who develops security guidelines for federal agencies and government contractors.
“There’s a whole new wave of cyber attacks being launched right now at the U.S. government and businesses from very sophisticated threat sources,” he said.
James Lewis has written authoritatively on cybersecurity at the Center for Strategic and International Studies in Washington.
The roots of today’s vulnerability, Lewis contends, is the inattention to security over the years in building a global network. Now, he says, hacking operations have grown so sophisticated that some deploy thousands of computers to automatically send malicious probes, one a minute, 24 hours a day.
“You have consumers and companies and federal agencies for whom security is not their top priority, maybe not even a third-level priority. Against them, you have intelligence agencies and criminals for whom this is their top priority,” he said.
For defense and aerospace companies, the government’s recent push to protect itself is welcome given the move away from some of the big-ticket weapons systems. Cybersecurity is widely viewed as a certain growth industry, especially when combined with the government’s confidential programs to develop offensive cyberwarfare capabilities.
“It is one of the very few growth opportunities that exists today in the defense sector. Other areas are likely to trend downward,” said defense analyst Loren Thompson of the Lexington Institute, a think tank supported heavily by defense contractors.
Thompson estimates the government market for cybersecurity at $10 billion to $14 billion — not counting the confidential awards for cyberwarfare, which could double the business available to contractors, according to some estimates.
But before they can offer protection for others, defense contractors must first secure their own networks from hacking. At Boeing, a major computer outage in the mid-1990s led to the formation of its Tiger Team and a shift in thinking about computer security. Last year, amid increasing worries about unauthorized access to its system, the company moved to a smart-card system to gain access.
Linda Meeks, Boeing’s chief information security officer, recalled the increasing number of attacks, such as those with phishing e-mails to employees that appeared to be coming from friends and family.
Meeks said the company decided to turn off e-mail access to anyone without a card. At a conference discussing the decision, she recalled being “brutally honest about what happened in the company.”
Boeing, which houses its primary information technology operations in St. Louis, describes its entrance into the cybersecurity business four years ago as a natural progression in its defense business. Jeff Trauberman, vice president of business development in the company’s Network and Space Systems division, said his company is providing products to government agencies both for cyber defense and cyber offense.
For instance, the Defense Department is among those that have purchased a version of the Boeing Security Monitoring Infrastructure System, like the network deployed in St. Louis to monitor would-be hackers.
“We are actually a bigger player in the market than people might know. We expect not only to continue to be a big player, we expect to grow in this area with new facilities, new capabilities,” Trauberman said.
Lockheed Martin Corp., one of Boeing’s competitors, operates similar security intelligence centers in Maryland and Colorado, breaking down attacks into phases it calls the “kill chain.”
Retired Air Force Lt. Gen. Charlie Croom, who directs Lockheed’s cyber operations, said that 80% of the attacks his company sees in its work with the government use methods the company has seen before. It’s the other 20%, the advanced persistent threats, that companies like his worry the most about — including “threats from nation states who want to come in and steel our secrets.”
“Like somebody asked, why do bank robbers rob banks? For cyber criminals, computers are where the money is,” he said.
The threats may be increasing, but so is the competition to sell the remedies, observed the Lexington Institute’s Thompson. For the companies, “It’s a free-for-all, and they are going to drive down each other’s profit margins,” he said.
There are implications for taxpayers, too, with the government spending billions without clear standards to evaluate what companies are selling.
“There doesn’t seem to be a rigorous framework for saying ‘that’s enough,’ ” he said. “No matter how much the government buys, somebody always is going to have this plausible reason for why we’re vulnerable.”
Lambrecht writes for the St. Louis Post-Dispatch/McClatchy.