Bringing Down The Internet

If you wanted to write a science-fiction thriller about the day the Internet crashed, you'd start with a computer geek. Armed with nothing but a laptop and a high-speed Internet connection, he releases a fast-spreading computer virus that in a matter of minutes gives him control of thousands, perhaps millions, of personal computers and servers throughout the world. This drone army launches a silent and sustained attack on computers that are crucial for sending around the billions of packets of data that keep e-mail, the Web and other, more basic necessities of modern life humming. At first the attack seems to be an inconvenience--e-mail traffic grinds to a halt, Web browsing is impossible. But then the problems spread to services only tangentially related to the Internet: automated-teller machines freeze up, calls to emergency numbers fail to get routed to police stations and ambulance services, airport- and train-reservation systems come down. After a few hours, the slowdown starts to affect critical systems: the computers that help run power grids, air-traffic control and telephone networks. Call it the worldwide muddle--a level of confusion that sometimes occurs during storms and power outages, but never before on a global scale.

So far there's no element of this plot outline that hasn't already happened, at least in piecemeal fashion. Here's where we enter the realm of speculation: what if such a cyberattack were accompanied by a physical one--perhaps a coordinated bombing attack on a few dozen buildings around the world that house computers essential for keeping the Internet working? Would it be possible for a small band of savvy terrorists to crash the Internet?

Nobody argues that it would be easy, but an increasing number of experts are beginning to think that an Internet catastrophe of some sort is almost inevitable. Recent virus attacks that exploit unprotected machines and use unsolicited e-mail, or spam, as a weapon have shown that the Internet is more vulnerable to manipulation than people thought. Even though those attacks were assumed to be motivated chiefly by commercial gain--to spam the Internet with promotions of black-market Viagra and other dubious products--their success has led experts to wonder what might be done if chaos and economic harm were the goal. "All you need is one computer and one sick mind who has a good understanding of how the Internet works," says Klaus Kleinfeld, president and CEO of the Siemens Corp., the U.S. subsidiary of Siemens AG, and a member of the Business Roundtable's security task force. Add a few well-placed bombs, say some computer experts, and it might be possible to bring down the Internet for months. Even without bombs, determined hackers could cause enough damage with repeated attacks--bringing down the Internet one week, and doing it all over again the week after.

The consequences of such disruptions would be more than a mere inconvenience. While engineers repaired the damage, corporations, governments and organizations that have made the Internet crucial to their day-to-day operations--that is, just about everybody--would scramble to rediscover old-fashioned pen-and-pencil methods, while the world economy went into free fall. Each year that goes by brings us closer to the point when even basic operations of society rely on the Internet. "I'm terrified if I think too hard about it," says Paul Vixie, president of the Internet Software Consortium, a nonprofit that helps maintain the Internet. "This isn't so much a threat to national security as a threat to civilization."

Over the past few months the sheer volume of Internet traffic, propelled by the proliferation of spam, has emerged as a major threat. Europe's response has been to institute "opt in" laws, being adopted this week, that forbid marketers to send spam unless they've gotten prior consent from consumers. It's unlikely to stop spammers who operate beyond national borders, and it certainly won't stop terrorists. According to Spamhaus, a London-based anti-spam organization, spam accounts for 60 percent of all Internet traffic, and it's expected to rise to 70 percent by the end of the year. E-mail traffic overall has risen from less than a billion messages a day in 1996 to more than 25 billion now, estimates research firm IDC. The Blaster virus this past August, and Slammer in January, demonstrated that viruses can enlist hordes of computers to become surrogate spam spreaders, and that it would be a relatively simple matter to coordinate a massive spam attack on specific weak points.

A major reason the Internet is more vulnerable than it was even a few years ago is the proliferation of broadband connections. Back in 1988, when the Internet was mainly used by academics, Cornell University graduate student Robert Morris wrote a program that spread surreptitiously from computer to computer--the first "worm." It took down 10 percent of the 60,000 computers then connected to the Internet. In 2002, broadband subscribers numbered 63 million worldwide--an increase of 72 percent over the year before, according to the International Telecommunication Union. Although corporations, governments and other institutions have gotten more savvy at protecting their computers with firewalls and security software, millions of PCs in people's homes are sitting ducks for invasive software. That's why the Slammer virus was able to infect 75,000 computers in just 10 minutes. In South Korea, which has the highest proportion of broadband-connected homes--70 percent--in the world, the top three Internet service providers were shut down, bringing virtually all of the country's e-mail and Web browsing to a halt. Slammer also disrupted the Davis-Besse nuclear power plant in Ohio, froze a 911 emergency-call-dispatching system in suburban Seattle and took down Continental Airlines' ticketing and reservation systems. This summer the Blaster worm brought down CSX's train-signaling system in 23 states and Air Canada's computer check-in service--and some experts speculate that it might have been a factor in the power outage that threw much of the Eastern United States into darkness.

The speed at which viruses can spread is making it harder to fight them. It typically takes two or three hours to decode a virus once it's detected, says Mikko Hypponen, head of virus research at F-Secure in Helsinki. Slammer took 10 minutes to install itself on thousands of hard drives. A so-called flash virus would work even faster. A hacker would have to invest a few hours "scanning" the Internet for vulnerable computers, and then the virus could be dispatched directly to these computers in a matter of seconds. So far experts haven't detected any flash viruses, but there's plenty of scanning going on--it accounts for 10 percent of Internet traffic, by some estimates.

Viruses work on what experts refer to as the "edge" of the Internet--PCs and so forth. But computers that make up the guts of the Internet are also vulnerable to attack. For instance, when an e-mail message is sent or a Web page is called up, domain names (like NEWSWEEK.com) must be translated into numbers, or Internet-protocol addresses, which tell the information where to go. This is the job of root servers--a kind of master directory, without which Internet traffic would grind to a halt. Root servers are protected from physical attack by redundancy. There are 10 in the United States and one each in London, Stockholm and Tokyo; if all but one went down, the last one standing would still be able to keep the Internet running (albeit slowly). Security varies from one location to another. Whereas Server I, in Stockholm, sits 40 meters underground, London's Server K resides in an aboveground building surrounded by barbed wire and security guards. Root servers aren't the only physically vulnerable spots. A dozen or so big exchange points--the big traffic hubs of the Web--in the United States handle a --big chunk of the world's Internet traffic; an attack on these machines might also create a disruption big enough to spread overseas. Like much Internet technology, root servers and exchange points are protected as much by ignorance as by barbed wire, and some experts worry that they're potential targets for those who would try to bring the Internet down with some combination of viruses and bombs.

Viruses have already attacked root servers. In October 2002 a virus launched a "distributed denial-of-service attack" on Internet root servers--a flood of useless information from thousands of zombie computers--that crippled nine of the 13 root servers for up to an hour. Internet service was maintained through the remaining four servers. This past July, Cisco Systems--which runs about 80 percent of Internet routers--released a soft-ware patch for a security flaw that had left its hardware open to hackers.

Software is yet another problem area. Microsoft software, by virtue of its ubiquity, is a particular worry. Last August Dan Geer, a former chief technology officer for security firm @stake, helped draft a report arguing that Microsoft wasn't doing enough to make its software secure. "The more the monoculture is pervasive, the greater your exposure to catastrophic collapse," he says. Geer was sacked the next day, and @stake said that the report was "not in line" with its views. Geer is not the only one who's been critical of Microsoft. "The way Windows is designed, once a rogue hacker or virus gets into a system, it can do all sorts of malicious damage," says John Naughton, an Internet expert at Britain's Open University. "If I were Al Qaeda, I wouldn't waste time with nuclear weapons. I'd be going to Microsoft training courses." Microsoft says it is taking steps to improve the security of its existing operating systems and is making security a priority in developing Longhorn, its next-generation operating system.

The problem isn't just Microsoft. Internet protocols--the rules that govern the Internet--were devised by academics in the days when junk e-mail was considered rude. "We have commercialized something that was never thought of as being commercial. It was never designed that way," says the SANS Institute's Marcus Sachs, a former White House staff member. "Today's Internet really is based on a prototype." The Internet doesn't have an Achilles' heel so much as thousands of soft spots that a clever, multifaceted attack could exploit. "A successful attack, like a successful business plan, does not rely on a single bit of magic, or some single good idea," says Vixie. "There has to be a large number of small components that come together in a recipe that produces the ideal effect."

Preventing such a perfect storm may require an elaborate and expensive reworking of Internet protocols and the widespread adoption of encryption, even for routine e-mail. Some experts propose building a sort of parallel Internet, made of secure routers, that would handle sensitive information. Such measures might change the Internet beyond recognition. Imagine having to pay postage for e-mail. And imagine governments around the world coming together to regulate this medium, which conquered the world precisely because it was decentralized and open to all comers. It's hard to imagine summoning the political will to undertake such a project, unless some crisis makes the need for it apparent to all.