Sam Fletcher
OGJ Online
The "Love Bug" virus that recently infected computer systems around the globe may have been a wake-up warning of the world's growing vulnerability to cyberterrorism, but only for the latest victims, says an energy industry consultant on computer security.
"To those not bitten by the Love Bug, it's still somebody else's problem," said Gary J. Green of PetroTech Alaska, who assembled a last-minute panel of experts to discuss computer security at last week's Offshore Technology Conference (OTC) in Houston.
Earlier this year, a less spectacular group of "black-hat" hackers shut down electronic-business operations on several high-profile web sites. Authorities also hailed that as a wake-up call. But it apparently was not noticed by many and soon forgotten by most�especially companies who haven't the in-house expertise or money to build computer defense systems.
"It�s like radiation�you don't see the problem until it gets you," said Green
Energy especially vulnerable
As one of the biggest corporate users of computers to explore for, produce, process, transport, store, and market volatile products that sustain global economies, the oil and gas industry is particularly at risk from malicious individuals, fanatic terrorists, and hostile nations, he said. That risk grows as the industry embraces the technology of smart valves, intelligent well completions, and e-commerce. It only takes one connection with the internet to open a corporate computer system to the danger of outside intervention.
And sometimes the internet isn't even necessary. "Many companies use radio signals to transmit information about equipment. If those signals aren't encrypted, they're subject to attack at any time," Green said.
No one knows how many companies in the energy and other industries have already been victimized by computer hackers. Firms usually try to deal with such problems quietly, seeking redress through civic rather than criminal courts to avoid frightening investors or attracting attention from other hackers, Green said. But unofficial sources indicate that the problem is substantial.
And unlike the Y2K problem, it can't be resolved with a one-time fix. It's more like a Cold War arms race, with each side struggling to surpass the other with expertise and technology.
Computer wars
If the Love Bug hackers, allegedly from a Filipino trade school, could trash tens of millions computers worldwide, resulting in a potential $10 billion of lost man-hours, what might be accomplished by "hostile government agents, with plenty of time and lots of resources," Green wonders. Such attack would likely be more subtle and harder to detect, he said�reducing production here, delaying transportation there, bottlenecking operations, and slowing down the system so that vital energy supplies can't reach markets at critical times.
National Security Council officials report more than 100 countries now are developing "cyberwarfare" capabilities. Unable to challenge US military power directly, some nations are looking to the use of computers to sabotage key economic, military, and social institutions.
Because 90% of US computers are owned or operated by private industry and local or state governments, that makes all elements of society open to attack.
US military officials know it can be done. In a 1997 military exercise, a dozen people were assigned to "attack" the Pentagon's computer systems, using only unclassified techniques and information gathered from the internet. Within a week, the hackers took over the system before most of the Pentagon staff realized anything was wrong.
The US Department of Defense now is working to isolate its computer system from outside connections.
Federal assistance program
In 1998, US President Clinton launched a national plan for protecting US computer and other critical national communication infrastructure. He also established the National Infrastructure Protection Center (NIPC) "to detect, deter, assess, warn of, respond to, and investigate intrusions and illegal acts."
NIPC is a unit of the Federal Bureau of Investigation. The FBI is the only government agency whose computer system is totally isolated from outside connections, officials said. However, some congressional critics claim the defense department should play a bigger role in that operation, since the FBI is restricted primarily to domestic operations.
Critics in both the government and private sector also fear too much government supervision of internet operations. They want security, but not at the sacrifice of personal privacy.
But the NIPC's goal is to work with industry to develop protection systems, not more regulation, said John Tritak, director of the Critical Infrastructure Assurance Office (CIAO), at the OTC session. It was the CIAO that drew up Clinton's National Plan for Information Systems Protection.
Such cooperation among government and industry will mean loosening some US antitrust restrictions to allow freer exchange of best practices information among companies, proponents say. It will also require tightening some Freedom of Information laws to prevent government release of critical data that might help terrorists attack refineries, chemical plants, and other sensitive facilities.
The federal budget for fiscal 2001 includes a 16% funding increase for that program to $2.03 billion. But at hearings before the Senate Judiciary Committee last month, Arizona Attorney General Janet Napolitano called for federal funding of "a minimum of $500,000/year per state for at least 3 years" to help the states with the expense of training police and prosecutors and buying the high-tech equipment necessary to combat computer crimes.
The states will "undoubtedly carry the bulk" of those investigations and prosecutions, including the "full burden" of cases involving juveniles, she said.
